Re: Unix Permissions Display Question
HI Fred, ACLs are kept in the File Security Packet (FSP) for each individual file in the Unix file system. They are not stored in RACF. The ACL you show would allow these two users to write (w) to the file but not read (r) or execute(x) it. You might need to add read (r) authority if they are having difficulty accessing the file. Check for ICH408I violation messages as they will show INTENT and ALLOWED. The file ACL should not have effect your ability to rename the file. Rename is controlled by access to the parent directory, and write (w) is required to rename it. Check your permissions to the directory. It, too, might have an ACL. Again, check for ICH408I messages. BTW, the owner appears as a UID and not a RACF ID. Either there is no RACF ID with this UID, or the default group for the RACF ID with this UID doesn't have a GID. I recommend you remediate this. Regards, Bob Robert S. Hansel2021 #IBMChampion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 18-22, 2021 - RACF Level I Administration - DEC 6-10, 2021 - RACF Level II Administration - NOV 15-19, 2021 - RACF Level III Admin, Audit, & Compliance - NOV 1-5, 2021 - RACF - Securing z/OS UNIX - SEPT 20-24, 2021 --- -Original Message- Date:Fri, 2 Jul 2021 14:10:32 + From:fred glenlake Subject: Re: Unix Permissions Display Question Hi List, Amazing response by so many members, very much appreciated. Just to close the loop, I don't have Vista so that's out. The Unix display that I re-typed was with the + in front of the 755. From the follow-on copy and pastes below of your suggested commands it shows I have 2 USER ACL's defined somewhere in RACF that are likely the cause of my access issues when I try to rename this file in a simulated DR test scenario. I issued the GETFACL command as suggested and that display is copied and pasted below. $ getfacl SYSTEM/etc/pagent_TTLS.conf #file: SYSTEM/etc/pagent_TTLS.conf #owner: 30456 #group: SYS1 user::rwx group::r-x other::r-x user:DRTSTCPY:-w- user:DREVTCPY:-w- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
On 2021-07-01 23:40 PM, Paul Gilmartin wrote: Does the entire screen qualify as such a rectangular selection? The originator of this thread said he retyped the half dozen lines he showed. We don't know whether he has Vista, which should have saved him the retyping. The entire data area of the screen, yes. The status line at the bottom, no. I can't show you those because they are Windows menus and capturing those would require Windows print screen. I fear Windows print screen is the only tool some users know; not ideal for problem tracking, etc. I've been there, working to reproduce a problem from a screen image. Amen to that. I try to be nice, though, in case they are using an emulator that does not support text copy/paste. -- Regards, Gord Tomlin Action Software International (a division of Mazda Computer Corporation) Tel: (905) 470-7113, Fax: (905) 470-6507 Support: https://actionsoftware.com/support/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
Hi List, Amazing response by so many members, very much appreciated. Just to close the loop, I don't have Vista so that's out. The Unix display that I re-typed was with the + in front of the 755. From the follow-on copy and pastes below of your suggested commands it shows I have 2 USER ACL's defined somewhere in RACF that are likely the cause of my access issues when I try to rename this file in a simulated DR test scenario. I issued the GETFACL command as suggested and that display is copied and pasted below. $ getfacl SYSTEM/etc/pagent_TTLS.conf #file: SYSTEM/etc/pagent_TTLS.conf #owner: 30456 #group: SYS1 user::rwx group::r-x other::r-x user:DRTSTCPY:-w- user:DREVTCPY:-w- I also displayed file attributes in TSO ishell and that display is copied and pasted below TSO ishell Display File Attributes (Option 2 or A) Pathname : /SYSTEM/etc/pagent_TTLS.conf More: + File type . . . . . . : Regular file Permissions . . . . . : 755 rwxr-xr-x Access control list . : 1 File size . . . . . . : 8562 File owner . . . . . : (30456) Group owner . . . . . : SYS1(2) Last modified . . . . : 2021-03-25 16:09:34 Last changed . . . . : 2021-07-01 11:01:20 Last accessed . . . . : 2021-07-02 09:10:43 Created . . . . . . . : 2020-10-25 01:46:59 Link count . . . . . : 1 Pathname : /SYSTEM/etc/pagent_TTLS.conf More: - + Link count . . . . . : 1 Set UID bit . . . . . : 0 Set GID bit . . . . . : 0 Sticky bit . . . . . : 0 Auditor audit . . . . : R= W= E= User audit . . . . . : R= F W= F E= F Device number . . . . : 4 Inode number . . . . : 53 Major device . . . . : 0 Minor device . . . . : 0 File format . . . . . : NA Pathname : /SYSTEM/etc/pagent_TTLS.conf More: - Major device . . . . : 0 Minor device . . . . : 0 File format . . . . . : NA Shared AS . . . . . . : 1 APF authorized . . . : 0 Program controlled . : 0 Shared library . . . : 0 Char Set ID/Text flag : 0 OFF Directory default ACL : 0 File default ACL . . : 0 Seclabel . . . . . . : I also displayed the file in TSO ISPF 3.17 and that display is below as well as the follow-on display manage ACL's TSO ISPF 3.17 Display z/OS UNIX Directory List Row 29 to 43 of 65 Command ===> Scroll ===> CSR Pathname . : /SYSTEM/etc Command FilenameMessage Type Permission Audit Ext Fmat --- pagent_TTLS.con File rwxr-xr-x+ fff--- --s- OPTION # 23 Manage ACLs Display z/OS UNIX ACL ListRow 1 from 2 Command ===> Scroll ===> CSR S UID Read Write eXecute Name Type 69234537 W DRTSTCPY USER 69234538 W DREVTCPY USER Sent from Outlook<http://aka.ms/weboutlook> From: IBM Mainframe Discussion List on behalf of fred glenlake Sent: July 1, 2021 1:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Unix Permissions Display Question Hi List, I am trying to understand what I am seeing when I display my /SYSTEM/etc files especially for my PAGENT files. I re-typed the display below: Type Perm Permission Owner Filename File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 File +755+rwxr-xr-x pagent_TTLS.conf File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert I am really interested in what the "+" means in front of the 755 and the permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is somehow protected externally by RACF but I am not sure. I have not been able to locate a redbook or manual that tells me what the "+" means. In a CHMOD command the + means adding permissions, that I know (or think I know). I am not a z/UNIX guru by any stretch of the imagination. I am hoping someone can enlighten me please. Also if it is externally protected how I could go about displaying the RACF protection or profile or ?? I have a started task that tries to copy in an new version of this file when we do a DR test but my started task fails and I need to do it manually as SuperUser. Thanks, FredG. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
On Thu, 1 Jul 2021 22:22:35 -0400, Gord Tomlin wrote:t. > >GT: Not true. Any rectangular selection can be made using the mouse. >That's useful for copying chunks of code and pasting it into other >programs, email messages, ... > Does the entire screen qualify as such a rectangular selection? The originator of this thread said he retyped the half dozen lines he showed. We don't know whether he has Vista, which should have saved him the retyping. > I can't show you >those because they are Windows menus and capturing those would require >Windows print screen. > I fear Windows print screen is the only tool some users know; not ideal for problem tracking, etc. I've been there, working to reproduce a problem from a screen image. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
Comments interspersed, prefixed by GT: On 2021-07-01 20:46 PM, Paul Gilmartin wrote: Thanks. I haven't Vista to play with, and others have said here that Vista captures screens only as bitmaps, not acceptable on this list. GT: Not true. Any rectangular selection can be made using the mouse. That's useful for copying chunks of code and pasting it into other programs, email messages, chat clients, issue trackers, and so on. Seeing your comment about what others have said, I had to go look to see if Vista even has the ability to produce a bitmap image, and I don't see one.The Edit menu in the window mode contains an assortment of advanced copy and paste options, none of which I've played with. I can't show you those because they are Windows menus and capturing those would require Windows print screen. however, in:https://www.tombrennansoftware.com/multiple.html I read: Each time something is Cut or Copied, the data is stored in Copybuffer 1, and also into the Windows Clipboard. Ideally then, one might Select the entire screen; Copy; and Paste into an editor such as Notepad++ or directly into a message to this list. How does that procedure treat: o Multi-line fields? o Attribute bytes? o Highlighting? GT: You get plain text in the clipboard. There are competing objectives: o A programmer might want to Copy even a multi-line field as a string with no formatting. GT: Works like a charm. o A writer of documentation or the OP to this thread might want a visually faithful image of the screen. GT: For this, the best thing I've seen is HTML-formatted screen shots from x3270. -- Regards, Gord Tomlin Action Software International (a division of Mazda Computer Corporation) Tel: (905) 470-7113, Fax: (905) 470-6507 Support: https://actionsoftware.com/support/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
On Thu, 1 Jul 2021 17:49:41 -0400, Gord Tomlin wrote: >On 2021-07-01 14:15 PM, Paul Gilmartin wrote: >> Can you not copy-paste rather than re-typing? It saves you many >> keystrokes and reduces the likelihood of typos. (Can that be done >> with Vista, in particular?) > >Copy/paste is easy peasy in vista. > Thanks. I haven't Vista to play with, and others have said here that Vista captures screens only as bitmaps, not acceptable on this list. however, in: https://www.tombrennansoftware.com/multiple.html I read: Each time something is Cut or Copied, the data is stored in Copybuffer 1, and also into the Windows Clipboard. Ideally then, one might Select the entire screen; Copy; and Paste into an editor such as Notepad++ or directly into a message to this list. How does that procedure treat: o Multi-line fields? o Attribute bytes? o Highlighting? There are competing objectives: o A programmer might want to Copy even a multi-line field as a string with no formatting. o A writer of documentation or the OP to this thread might want a visually faithful image of the screen. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
On 2021-07-01 14:15 PM, Paul Gilmartin wrote: Can you not copy-paste rather than re-typing? It saves you many keystrokes and reduces the likelihood of typos. (Can that be done with Vista, in particular?) Copy/paste is easy peasy in vista. -- Regards, Gord Tomlin Action Software International (a division of Mazda Computer Corporation) Tel: (905) 470-7113, Fax: (905) 470-6507 Support: https://actionsoftware.com/support/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
Personally I like use 3.17 in ISPF to view USS files and filesystems. Easier to navigate Lizette -Original Message- From: IBM Mainframe Discussion List On Behalf Of fred glenlake Sent: Thursday, July 1, 2021 10:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Unix Permissions Display Question Hi List, I am trying to understand what I am seeing when I display my /SYSTEM/etc files especially for my PAGENT files. I re-typed the display below: Type Perm Permission Owner Filename File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 File +755+rwxr-xr-x pagent_TTLS.conf File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert I am really interested in what the "+" means in front of the 755 and the permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is somehow protected externally by RACF but I am not sure. I have not been able to locate a redbook or manual that tells me what the "+" means. In a CHMOD command the + means adding permissions, that I know (or think I know). I am not a z/UNIX guru by any stretch of the imagination. I am hoping someone can enlighten me please. Also if it is externally protected how I could go about displaying the RACF protection or profile or ?? I have a started task that tries to copy in an new version of this file when we do a DR test but my started task fails and I need to do it manually as SuperUser. Thanks, FredG. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
If you do a normal "ls -l" command, does the plus sign show up at the end of the permission bits? If so, it is an extended ACL. In addition, if you do a "man ls" it describes the plus sign right after it describes the permission bits. Rex -Original Message- From: Pommier, Rex Sent: Thursday, July 1, 2021 1:43 PM To: 'IBM Mainframe Discussion List' Subject: RE: Unix Permissions Display Question Fred, A + at the end of the permission bits says there's extended ACL protecting it. I haven't seen this style of display before. What do you get if you do a getfacl on the pagent_TTLS.conf file? Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of fred glenlake Sent: Thursday, July 1, 2021 12:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Unix Permissions Display Question Hi List, I am trying to understand what I am seeing when I display my /SYSTEM/etc files especially for my PAGENT files. I re-typed the display below: Type Perm Permission Owner Filename File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 File +755+rwxr-xr-x pagent_TTLS.conf File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert I am really interested in what the "+" means in front of the 755 and the permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is somehow protected externally by RACF but I am not sure. I have not been able to locate a redbook or manual that tells me what the "+" means. In a CHMOD command the + means adding permissions, that I know (or think I know). I am not a z/UNIX guru by any stretch of the imagination. I am hoping someone can enlighten me please. Also if it is externally protected how I could go about displaying the RACF protection or profile or ?? I have a started task that tries to copy in an new version of this file when we do a DR test but my started task fails and I need to do it manually as SuperUser. Thanks, FredG. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
Fred, A + at the end of the permission bits says there's extended ACL protecting it. I haven't seen this style of display before. What do you get if you do a getfacl on the pagent_TTLS.conf file? Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of fred glenlake Sent: Thursday, July 1, 2021 12:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Unix Permissions Display Question Hi List, I am trying to understand what I am seeing when I display my /SYSTEM/etc files especially for my PAGENT files. I re-typed the display below: Type Perm Permission Owner Filename File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 File +755+rwxr-xr-x pagent_TTLS.conf File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert I am really interested in what the "+" means in front of the 755 and the permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is somehow protected externally by RACF but I am not sure. I have not been able to locate a redbook or manual that tells me what the "+" means. In a CHMOD command the + means adding permissions, that I know (or think I know). I am not a z/UNIX guru by any stretch of the imagination. I am hoping someone can enlighten me please. Also if it is externally protected how I could go about displaying the RACF protection or profile or ?? I have a started task that tries to copy in an new version of this file when we do a DR test but my started task fails and I need to do it manually as SuperUser. Thanks, FredG. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
The plus sign indicate that the file has extended acl. You can list is using getfacl. ITschak בתאריך יום ה׳, 1 ביולי 2021 ב-20:43 מאת fred glenlake < fred.glenl...@outlook.com>: > Hi List, > > I am trying to understand what I am seeing when I display my /SYSTEM/etc > files especially for my PAGENT files. I re-typed the display below: > > Type Perm Permission Owner Filename > File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 > File +755+rwxr-xr-x pagent_TTLS.conf > File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert > > I am really interested in what the "+" means in front of the 755 and the > permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is > somehow protected externally by RACF but I am not sure. I have not been > able to locate a redbook or manual that tells me what the "+" means. In a > CHMOD command the + means adding permissions, that I know (or think I > know). I am not a z/UNIX guru by any stretch of the imagination. I am > hoping someone can enlighten me please. Also if it is externally protected > how I could go about displaying the RACF protection or profile or ?? I > have a started task that tries to copy in an new version of this file when > we do a DR test but my started task fails and I need to do it manually as > SuperUser. > > Thanks, > > FredG. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
On Thu, 1 Jul 2021 17:43:15 +, fred glenlake wrote: > >I am trying to understand what I am seeing when I display my /SYSTEM/etc files > What tool do you use to generate that display? Its Ref. might tell us more about its conventions. > especially for my PAGENT files. I re-typed the display below: > Can you not copy-paste rather than re-typing? It saves you many keystrokes and reduces the likelihood of typos. (Can that be done with Vista, in particular?) >Type Perm Permission Owner Filename >File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 >File +755+rwxr-xr-x pagent_TTLS.conf >File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert > >I am really interested in what the "+" means in front of the 755 ... In a >CHMOD command the + means adding permissions, > I agree, but I doubt chmod is involved here. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Unix Permissions Display Question
Hi List, I am trying to understand what I am seeing when I display my /SYSTEM/etc files especially for my PAGENT files. I re-typed the display below: Type Perm Permission Owner Filename File 755 rwxr-xr-x BPXROOT pagent_TTLS.bkup20191118 File +755+rwxr-xr-x pagent_TTLS.conf File 755 rwxr-xr-x BPXROOT pagent_TTLS.conf.oldcert I am really interested in what the "+" means in front of the 755 and the permissions rwxr-xr-x. I think it means the file pagent_TTLS.conf is somehow protected externally by RACF but I am not sure. I have not been able to locate a redbook or manual that tells me what the "+" means. In a CHMOD command the + means adding permissions, that I know (or think I know). I am not a z/UNIX guru by any stretch of the imagination. I am hoping someone can enlighten me please. Also if it is externally protected how I could go about displaying the RACF protection or profile or ?? I have a started task that tries to copy in an new version of this file when we do a DR test but my started task fails and I need to do it manually as SuperUser. Thanks, FredG. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN