FTP uses the resource profile EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS
in the SAF SERVAUTH class to control access to the z/OS® UNIX file
system. If you do not control access to this profile, then all users
can access your z/OS UNIX file system.
Before you begin
If the FTP.DATA file for the server specifies STARTDIRECTORY
HFS and the user is not permitted to the SERVAUTH class profile, FTP
makes the TSO user ID the starting directory.
You must have the
authority to issue the necessary RACF® commands.
The following procedure assumes that you are using RACF as your security product.
You can, however, use any SAF-compliant security product.
Procedure
Perform the following steps to control access to the z/OS UNIX file
system:
- Define the profile for the FTP user access to the z/OS UNIX file
system. The profile has the following form:
RDEFINE SERVAUTH EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS
For
example, the profile name for FTP daemon FTPD running on system MVSA
is the following name:
EZB.FTP.MVSA.FTPD1.ACCESS.HFS
Tip: The profile name can contain wildcard values as allowed
by the security product. All security-product rules (for example wildcards,
PROTECTALL, and so on) apply. For example, if all systems will use
the same access list and RACF generic
profile checking is active for the SERVAUTH class, you could use the
following profile name:
EZB.FTP.*.FTPD.ACCESS.HFS
- Permit the user IDs that require access to the z/OS UNIX file
system to the profile:
PERMIT EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS CL(SERVAUTH)
ID(ftpuser)
- Issue the following command to activate the RACF SERVAUTH class, if it is not already activated:
SETROPTS CLASSACT (SERVAUTH)
- Take one of the following actions:
Results
When you are finished, only certain users will be able
to access the z/OS UNIX file system.