Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Obtaining information about z/OS UNIX file and directory violations z/OS Security Server RACF Diagnosis Guide GA32-0886-00 |
|
An error occurs when RACF® detects an attempt to specify a z/OS® UNIX function for which the user does not have authority. When an ICH408I message is issued, it contains a syscall-name which identifies the z/OS UNIX callable service that invoked RACF. In some cases, the message indicates that you do not have sufficient authority to perform the callable service because it requires superuser authority. Superuser authority is UID 0, or authority to an appropriate FACILITY class or UNIXPRIV class profile. In other cases, the message indicates that you do not have access to a file or a directory, and contains your access intent and allowed access. This message indicates that you do not have permission to find
the file pointed to by path name /u/myuser/path:
The
final line of the message indicates the UID and GID upon which RACF has based its decision. The
first thing to verify is that the UID and GID are the expected values
for the failing user ID. In some cases, the values may not correspond
to the actual user ID which performed the function (identified within
the message). For example, if you execute a set-uid file, which runs
under the authority of the file owner, the UID displayed will be the
file owner. In this case, it is the file owner, and not the end user,
who lacks authority to the file or directory.In the message, a syscall-name of LOOKUP or OPEN, a class name of DIRSRCH, and an access intent of X are all indicators that you do not have authority to a directory in the path name. This lists the permissions encoded by the file permission bits:
|
Copyright IBM Corporation 1990, 2014
|