On Fri, 12 Dec 2025 07:35:21 -0500, Robert S. Hansel <[email protected]> wrote:
>Are native Unix controls (Owner,Group,Other permission bits) being used to >govern access in Unix or has it been externalized such that ACF2 rules are >governing access? > If the latter, UID may not matter unless you are planning on converting to > RACF. Fixing UID shifts the problem to GID. I suggest you either skip or delay this until you create a well-defined UID, GID, OTHER and ownership strategy. You don't want to repeat this process again. May I suggest considering an alternate approach that might be easier: 1. I would focus on the subdirectories of /u. Correcting files doesn't retrain habits learned in an unsecured environment. This is the typical location for user and group directories. /tmp is another location where user files are located. 2. Definition: "group" directories are the /u directories that aren't used as any SAF user's unix home. These directories are primarily accessed using a group permissions. I suspect there will be very few because it was too easy to use someone's home directory as a group directory. 3. Definition: "home" directories are the home directories defined in a SAF user's unix home definition. 4. You only need to secure each /u subdirectory using chmod (440 or 400), chown and chgrp. Files and subdirectories default to chmod 444 which gives other permission to the files (try touch uuu to verify). Leave it up to the users to secure their files 5. The difficult problem is determining group files in home directories and how they fit into your strategy. Do you allow group files to remain in home directories or create group directories. 6. Considerations & changes for each directory in /u: 6a. To simplify conversion, authorize your common GID to everyone. 6b. Investigate files & subdirectories that do not have the common UID & GID. 6c. Investigate files & subdirectories are the the common ones 6d. Review the impact of hardlinks in bypassing security. 6e. Propagating owner and group to each file and subdirectory in /u. This method allows you to ignore files and simplify the process. This is not a complete list but you can ask questions if this an alternative you want to pursue. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
