On Mon, 18 Nov 2024 05:10:42 -0500, Robert S. Hansel wrote: > >RACF profiles don't govern access to individual Unix files and directories. >Access to a file or directory is governed by its individual File Security >Packet (FSP) which contains the Owner/User, Group, permissions bits, and >Extended Access Control Lists (ACLs). FSPs are stored in the file's or >directory's parent directory. ... > I believe the permission bits, those set by "chmod" and shown by "ls -l" are stored not in a directory but in the file's inode.
>There are UNIXPRIV profiles that can override permissions in FSPs to grant >access, but they are not specific to an individual file or directory. >Superuser also overrides the permissions in FSPs. To better understand how >Unix access controls work, see my presentation on UNIXPRIV. > Thanks. Still, what happens if the file is linked from different directories with conflicting rules? 561 $ 561 $ touch first/fred 562 $ ln first/fred second/joe 563 $ ls -il * first: total 0 75534329 -rw-r--r-- 2 paulgilm wheel 0 Nov 18 07:05 fred second: total 0 75534329 -rw-r--r-- 2 paulgilm wheel 0 Nov 18 07:05 joe 564 $ Same inumber; same file; 2 links. >https://www.rshconsulting.com/RSHpres/RSH_Consulting__UNIXPRIV_Class__October_2018.pdf > I haven't read it yet. Will it answer my questions? >The one RACF class that can have pathnames is FSEXEC for controlling whether >the Execute bit will be honored, but that is a special case and would only >have a few pathnames specified. -- Thanks again, gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
