z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Obtaining information about z/OS UNIX file and directory violations

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

An error occurs when RACF® detects an attempt to specify a z/OS® UNIX function for which the user does not have authority. When an ICH408I message is issued, it contains a syscall-name which identifies the z/OS UNIX callable service that invoked RACF. In some cases, the message indicates that you do not have sufficient authority to perform the callable service because it requires superuser authority. Superuser authority is UID 0, or authority to an appropriate FACILITY class or UNIXPRIV class profile. In other cases, the message indicates that you do not have access to a file or a directory, and contains your access intent and allowed access.

This message indicates that you do not have permission to find the file pointed to by path name /u/myuser/path:
ICH408I USER(MYUSER  ) GROUP(MYGROUP ) NAME(ME)
/u/myuser/path  CL(DIRSRCH ) FID(01C7C3E6E5D4E400011E000000000)
INSUFFICIENT AUTHORITY TO LOOKUP
ACCESS INTENT(--X)  ACCESS ALLOWED(GROUP ---)
EFFECTIVE UID (0000000023) EFFECTIVE GID (0000000012)
The final line of the message indicates the UID and GID upon which RACF has based its decision. The first thing to verify is that the UID and GID are the expected values for the failing user ID. In some cases, the values may not correspond to the actual user ID which performed the function (identified within the message). For example, if you execute a set-uid file, which runs under the authority of the file owner, the UID displayed will be the file owner. In this case, it is the file owner, and not the end user, who lacks authority to the file or directory.

In the message, a syscall-name of LOOKUP or OPEN, a class name of DIRSRCH, and an access intent of X are all indicators that you do not have authority to a directory in the path name.

This lists the permissions encoded by the file permission bits:
r- Read permission
Are you allowed to read the file/directory?
w - Write permission
Are you allowed to write to the file/directory?
x - Execute permission
Are you allowed to execute the file?
x - Lookup permission
Are you allowed to traverse the directory?
Parent topic: Collecting problem data

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014