>We have outgrown the USS permission bits due to limitations. > >What is the minimum required to give read/write/exec to users/groups for a >particular directory? ie /public and everything below it.
Some point that come to my mind: - ACLs, if present, will be used only if the RACF FSSEC class is active. - You cannot change the *owner's* access for an entry (file, directory, etc). The owner will always be granted access based on the base permission bits. - The number of ACL that can be defined per entry is limited. - You can grant access to individual UIDs, or GIDs - For directories, you can define *default* ACLs to be given to new file and directories within this a directory. Those defaults will also be interited by directories, i.e. become the new directory's defaults. Bob Hansel has a nice flowchart that summarized the the logic that is applied, including base permisstion, ACL permission , and UNIXPRIV class profiles. http://www.rshconsulting.com/RSHpres/RSH_Consulting__UNIXPRIV_Class__March_2017.pdf The shell commands to work with ACLs are "getfacl" to list the ACLs and "setfacl" to set or modify them. getfacl -adf file-or-directory This list the basic permissions and ACLs, if any, for the selected files/directory setfacl -m "acl settings see below" file-or-directory This modifies the ACLs of the specified file or directory. It adds (if not yet present) or modifies ACLs for the UIDs, or GIDs specified. You can also replace everything via -s (set), and delete via -x. There are other variants; I suggest to read the z/OS UNIX Command Reference. "acl settings see below" is a list of ACLs to be set, enclosed in double quotes. Separate the entries with commata. An ACL setting in that list can be: - The settings of the basic permission bits. This is the same as using "chmod". Specify the ACL in the format {u|g|o}::rwx. Note: to set a bit use the character (r,w,x) shown, to clear it use a dash (-). - The setting of some extended ACL for a UID (user) or GID (group). These are of simiar format to the above, just that they have the desired UID/GID between the two colons: {u|g}:{uid|gid}:rwx. You can specify the user or group via UID/GID, or via RACF USERID/GROUP names. - The setting of *default* extended ACLs, but only on directories, not on files. The format is the same as above, just prefix it with 'f:' or 'd:' to define the entry as a file or directory default. File default ACLs will become the initial ACL for new files creates in that directory. Directory defaults will become the initial ACL for new directories in that directory. In addition, file and directory default ACLS will become the initial default ACLs for new directories, i.e. new directories inherit the default from their parent directory. Note that I wrote "initial ACLs" above. Changing the ACLs or default ACLs of a directory does *not* cascade the changes down to existing entries. To grant "rwx" to users PETER, and JOE, "r--" to user BOB, "rx-" to group GRP1 specify setfacl -mv "u:PETER:rwx,u:JOE:rwx,u:BOB:r--,g:GRP1:rw-" To make sure members of group GRP2 can create and delete file in a directory and in any new subdirectory, and he can read and write any new files in those directories, specify: setfacl -mv "g:GRP2:rwx,d:g:GRP2:rwx,f:g:GRP2:rw-" HTH -- Peter Hunkeler ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
