The following examples apply to superuser privileges, except the
privilege associated with the CHOWN.UNRESTRICTED resource (see
Using the CHOWN.UNRESTRICTED profile). For example, these are the steps to
authorize selected users to transfer ownership of any file.
- Define a profile in the UNIXPRIV class to protect the resource
called SUPERUSER.FILESYS.CHOWN. For example:
RDEFINE UNIXPRIV SUPERUSER.FILESYS.CHOWN UACC(NONE)
Note: Generic
profile names are generally permitted for resources in the UNIXPRIV
class, though there are certain exceptions such as the CHOWN.UNRESTRICTED
resource. These examples are documented in their appropriate sections.
If you want to authorize all file-system privileges, you can use generics
and define a profile called SUPERUSER.FILESYS.**.
- Authorize selected users or groups as appropriate:
PERMIT SUPERUSER.FILESYS.CHOWN CLASS(UNIXPRIV)
ID(appropriate-groups-and-users) ACCESS(READ)
- Activate the UNIXPRIV class, if it is not currently active at
your installation:
SETROPTS CLASSACT(UNIXPRIV)
Note: If
you do not activate the UNIXPRIV class and activate SETROPTS RACLIST
processing for the UNIXPRIV class, only superusers will be allowed
to transfer ownership of any file.
- You must activate SETROPTS RACLIST processing
for the UNIXPRIV class, if it is not already active. For a complete
description of this function, see SETROPTS RACLIST processing.
SETROPTS RACLIST(UNIXPRIV)
Note: If
SETROPTS RACLIST processing is already in effect for the UNIXPRIV
class, you must refresh SETROPTS RACLIST processing in order for new
or changed profiles in the UNIXPRIV class to take effect.
SETROPTS RACLIST(UNIXPRIV) REFRESH
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014