IBM Z Hardware and Operating Systems Ideas Portal
This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
We accept this as an uncommitted candidate. Thank you.
Please give us a general use case scenario that describes your requirement.
-> Answer from my collegue:
Userids with sufficient authority to change another user's private .ssh directory (e.g. via a UNIXPRIV privilege to SUPERUSER.FILESYS) could put their own private key in another user's authorized_key file and after that establish a ssh-session with this other user's userid.
Is it possible you are requesting a method to allow only the user who owns the filesystem directory to access it?
-> yes, that's my request. Superuser should be prevented despite superuser authority to change home directories of other users
We are guessing from your PERMIT example that you mount a separate filesystem for every user's home directory ??? Is that correct?
-> yes, that's correct. Every user has his own sperate home directory.
Please give us a general use case scenario that describes your requirement.
-> I asked my colleague, who suggested protection via fsaccess, to provide detailed Information
Kind regards, Dieter
.Thank you for submitting this requirement. After careful discussions with the development, we request additional information.
Contrary to the statement made in the description, superusers do not have access by default to directories in filesystems protected by an FSACCESS class profile. If RACF supported &RACUID in the access list for the profile, then every user would have that access to the resource.
Is it possible you are requesting a method to allow only the user who owns the filesystem directory to access it? We are guessing from your PERMIT example that you mount a separate filesystem for every user's home directory ??? Is that correct? Please give us a general use case scenario that describes your requirement.
Thank you.