z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF authorization

z/OS Security Server RACF Callable Services
SA23-2293-00

  1. To change the mode, the user must be a superuser or must be the owner of the file. If the user can change the mode and the user is not a superuser, the S_ISGID bit is cleared, except when the owner z/OS UNIX group identifier (GID) of the file is equal to the effective GID or to one of the supplementary groups of the calling process.
  2. Only a superuser or directory/file owner can change the S_ISVTX bit.
  3. If the caller is not superuser, or the file owner, an authorization check is performed for READ access to the resource named SUPERUSER.FILESYS.CHANGEPERMS in the UNIXPRIV class. If the authorization check is successful, the caller is treated as a superuser.
  4. If the SECLABEL class is active and the file or directory has a security label, then the current security label of the process must be greater than or equal to the security label of the resource or the security label of the resource must be greater than or equal to the current security label of the process, that is, the security labels are not disjoint. If MLFSOBJ is active, a failure will occur if the resource does not have a security label. Security label checking is bypassed if the ACEE indicates trusted or privileged authority or if the service has passed a system CRED.
Parent topic: R_chmod (IRRSCF00): Change file mode

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014