Secure HFS Functions

In addition to file access security, HFS functions can also be secured. These functions can be a system action, such as setting a ptrace or a job’s priority, or they can be file-related, such as changing the file mode or audit settings.
ctsfz
In addition to file access security, HFS functions can also be secured. These functions can be a system action, such as setting a ptrace or a job’s priority, or they can be file-related, such as changing the file mode or audit settings.
A system function is secured by a rule in the IBMFAC class, while a file-related function is secured by a combination of an IBMFAC class rule and a HFS file resource rule. By following this approach, changes to file attributes can be permitted at a global basis, or restricted to a particular file.
The resource name format for HFS IBMFAC rules is: .BPX.CAHFS.function
Example: HFS function security
This example secures HFS functions:
TSS PER(USER01) IBMFAC(BPX.CAHFS.function)                 ACCESS(READ)
System Functions
To perform a system function, the user requires READ access to the corresponding IBMFAC:
  • BPX.CAHFS.CHANGE.PRIORITY
    Allows a user to change the scheduling priority of a process, process group, or user.
  • BPX.CAHFS.SET.PRIORITY
    Allows a user to set the scheduling priority of a process, process group, or user.
  • BPX.CAHFS.SET.RLIMIT
    Allows a user to set the resource limit for the calling process.
  • BPX.CAHFS.MOUNT
    Allows a user to mount file systems. For z/OS 1.13 and above, an additional check for the BPX.CAHFS.USERMOUNT resource occurs if the check for BPX.CAHFS.MOUNT fails.
  • BPX.CAHFS.USERMOUNT 
    Allows a nonprivileged user to mount a file system. If the check for BPX.CAHFS.MOUNT resource fails, BPX.CAHFS.USERMOUNT is checked. BPX.CAHFS.USERMOUNT differs from BPX.CAHFS.MOUNT support because with UNIX System Services extra criteria are required for the user to be able to mount the file system. These criteria include needing to mount on an empty directory, needing permission to the mount point directory and the file system being mounted, and others.
    For a complete list of these criteria, see IBM's
    z/OS UNIX System Services Planning
    .
    Because the user must own or have permission to the file system being mounted and the mount point directory, the following permits are required:
    • ALTER access to the HFSSEC class where the resource name represents the file system data set
    • ALTER access to the HFSSEC class where the resource name represents the mount point directory
    Example:
    mount  - t zfs  - f OMVS.HFS.BOBFILE  - a unmount  - s nosetuid /user/bob
    For user BOB to mount OMVS.HFS.BOBFILE at the mount point /user/bob using the above OMVS shell command, the following three permits are required:
    TSS PERMIT(BOB) IBMFAC(BPX.CAHFS.USERMOUNT) ACCESS(READ)  TSS PERMIT(BOB) HFSSEC(OMVS.HFS.BOBFILE) ACCESS(ALTER) TSS PERMIT(BOB) HFSSEC(/USER.BOB) ACCESS(ALTER)
  • BPX.CAHFS.USERUNMOUNT
    Allows a nonprivileged user to unmount a file system. Otherwise, for UNIX System Services, nonprivileged users cannot unmount a file system that they did not mount.
  • BPX.CAHFS.PTRACE
    Allows a user to control and debug another process. Although the user need not be defined as a superuser to use this function, access to this resource does not give the user more authority than a superuser would have. If the user attempts to debug a program running with SETUID or SETGID (that is, a program that switches user identification), access to the function is denied.
  • BPX.CAHFS.CREATE.LINK
    Allows a user to create a hard link to an existing file. A hard link is essentially another name for the same file data. If the original file is removed, the hard link still points to the file data. The data is not deleted until the last link is removed. The user requires a permission with ACCESS(ALTER) to the HFS file resource for both the original file and the link file. When data associated with a hard link is accessed, the CA-ENF/USS service requests the file name from USS. Regardless of the actual path accessed, the file name that is returned may be the hard link name or the original file name. Therefore, when a hard link exists, you must maintain permissions for both the link name and the original name.
  • BPX.CAHFS.CREATE.EXTERNAL.LINK
    Allows a user to create an external link to an object outside of the file system, such as an MVS data set. An external link is a file that contains the name of an external object. If the external object is removed, the external link still contains the name of the nonexistent object.
  • BPX.CAHFS.CREATE.SYMBOLIC.LINK
    Allows a user to create a symbolic link to an existing file. A symbolic link is a file that contains the name of another file. If the original file is removed, the file data is deleted but the symbolic link still contains a pointer to the nonexistent file. Symbolic link names are validated when the link is created and deleted. All other accesses are validated with the original file name. In addition to this resource, the user must also have a PERMIT with ACCESS(ALTER) to the HFS file resource for both the original file and the link file.
  • BPX.CAHFS.FILESYS.PFSCTL
    Allows a user to call the pfsctl callable service, which sends a command to a physical file system.
  • BPX.CAHFS.FILESYS.VREGISTER
    Allows a user to issue vregister() to register as a VFS file server.
  • BPX.CAHFS.IPC.RMID
    Allows a user to perform ipcrm calls to clean up leftover IPC mechanisms.
  • BPX.CAHFS.PROCESS.GETPSENT
    Allows users to see all processes.
  • BPX.CAHFS.PROCESS.KILL
    Allows user to send signals to any process.
File Functions
File-related functions can be secured to various levels of granularity by determining a user’s highest level of access to an IBMFAC resource. The ACCESS keyword of the IBMFAC resource authorization is used for this purpose. The following actions are taken based upon the ACCESS value:
  • ALL
    The user is allowed to perform the function against all files.
  • NONE
    The user is not allowed to perform the function against any files.
  • READ
    (Or any access containing READ such as CONTROL or UPDATE.)
    The user is allowed to perform the function if the user also has ACCESS(CONTROL) access to the HFS file.
    The access level of CONTROL is not used in normal file access. It is utilized here to provide additional controls for file functions.
    READ may also allow the function if the HFS file exists in the user's 'user path directory'. That is, if the file exists in the users directory matching the userid making the request. Normally the directory is chained off the /u directory but this can be altered by the user exit.
Because the absence of the ACCESS keyword in a permission implies READ access, specify ACCESS in all of the file function IBMFAC permissions so that you do not inadvertently allow greater access to functions than you intended.
HFS file permission settings and UID/GID ownership are not used for validation purposes when CA SAF HFS security is active.
File Functions (IBMFAC)
The following file functions are authorized via the IBMFAC ATTRIBUTE:
  • BPX.CAHFS.CHANGE.FILE.ATTRIBUTES
    Allows a user to change extended file attributes, such as APF authorization and program control. Native z/OS UNIX services will issue an IBMFAC resource call to determine authorization to set the specific attribute, but not to specific files. Use of this file function resource provides additional control down to the file level.
  • BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS
    HFS files contain two sets of audit flags, one that can be set by a normal user and the other that can only be set by an auditor. This resource allows a user to change user-audit flags in a file.
  • BPX.CAHFS.CHANGE.FILE.FORMAT
    Allows a user to change the format of a file. Changes include defining text data delimiters or binary file format.
  • BPX.CAHFS.CHANGE.FILE.MODE
    Allows a user to change any file mode information. This includes changes to file permission settings, setting the execution UID or GID indicators, and setting the “sticky” bit. Native z/OS UNIX permission settings are used for validation purposes only when CA SAF HFS security is inactive.
  • BPX.CAHFS.CHANGE.FILE.MODE.STICKY
    Allows a user to set the “sticky” bit in the file mode information. The “sticky” bit causes a program to be loaded from MVS libraries instead of the HFS.
  • BPX.CAHFS.CHANGE.FILE.MODE.EUID
    Allows a user to set the execution-UID indicator in the file mode information. When this indicator is set, the program runs under the UNIX UID of the file owner instead of the UID of the user running the program.
  • BPX.CAHFS.CHANGE.FILE.MODE.EGID
    Allows a user to set the execution-GID indicator in the file mode information. When this indicator is set, the program runs under the UNIX GID of the file owner instead of the GID of the user running the program.
  • BPX.CAHFS. CHANGE.FILE.OWNER
    Allows a user to change file owner UID setting. Native z/OS UNIX ownership settings are used for validation purposes only when CA SAF HFS security is inactive.
  • BPX.CAHFS. CHANGE.FILE.GROUP
    Allows a user to change file owner GID setting. Native z/OS UNIX ownership settings are used for validation purposes only when CA SAF HFS security is inactive.
  • BPX.CAHFS. CHANGE.FILE.TIME
    Allows a user to change the last access or modification time to the current time or a user-specified time. If the current time is to be set and the user has write access to the file, the function is allowed. If the user does not have write access or a user-specified time is to be set, access must be allowed to this IBMFAC resource.
Example IBMFAC Permissions
This example allows Thelma to change the file mode and owner for all files. Louise is allowed to change the file mode for only those files that reside in a certain directory, but is not allowed to change the file owner in any file:
TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE)                 ACCESS(ALL) TSS PER(LOUISE) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE)                 ACCESS(CONTROL) TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER)                 ACCESS(ALL) TSS PER(LOUISE) HFSSEC(/certain.directory.)                 ACCESS(ALL)