|
- To change the mode, the user must be a superuser or must be the
owner of the file. If the user can change the mode and the user is
not a superuser, the S_ISGID bit is cleared, except when the owner z/OS UNIX group identifier (GID) of the
file is equal to the effective GID or to one of the supplementary
groups of the calling process.
- Only a superuser or directory/file owner can change the S_ISVTX
bit.
- If the caller is not superuser, or the file owner, an authorization
check is performed for READ access to the resource named SUPERUSER.FILESYS.CHANGEPERMS
in the UNIXPRIV class. If the authorization check is successful,
the caller is treated as a superuser.
- If the SECLABEL class is active and the file or directory has
a security label, then the current security label of the process must
be greater than or equal to the security label of the resource or
the security label of the resource must be greater than or equal to
the current security label of the process, that is, the security labels
are not disjoint. If MLFSOBJ is active, a failure will occur if the
resource does not have a security label. Security label checking is
bypassed if the ACEE indicates trusted or privileged authority or
if the service has passed a system CRED.
|