bs2fs file systems permit access to files in BS2000. You can prevent unauthorized accesses using the various protection mechanisms of BS2000 and POSIX. The following protection mechanisms are available:
User administration (BS2000)
File access protection (BS2000 and POSIX)
Access rights in the bs2fs file system
Users always have the same access rights in the bs2fs file system as in BS2000. They can therefore only perform the same types of access (read, write, execute) to a file or library element which they would also be permitted to perform in native BS2000.
Access restrictions can occur in individual cases. If, for instance, a file is protected by a password or guard, it is possible that a POSIX user is forbidden from using an access which they would be permitted to use as a BS2000 user.
The table below provides an overview of the access rights required for the various accesses:
Access | Object | Rights required for access |
Create | File | Owner (userid) of the file system |
Library | Write and read permission for the library and also administration | |
Open for | File | Read permission for the file |
Library | Read permission for the library and read permission for the element | |
Open for | File | Write and read permission for the file |
Library | Write and read permission for the library and write permission for the | |
Delete | File | Owner (userid) of the file system and write permission for the file |
Library | Write and read permission for the library and also administration | |
Rename | File/ | Deletion rights are required for the source and creation rights for the |
The rights defined with Basic Access Control Lists (BACLs) or ACCESS and USER-ACCESS apply for all other accesses.
By default the TSOS ID has the same rights as the owner of a file or a PLAM library.
No special rights are assigned to the SYSROOT ID for accessing objects in bs2fs file systems.
Application recommendations
The following recommendations apply to ensure that the files and library elements which are mounted in a bs2fs file system can be accessed by a POSIX user:
If a user is to be permitted to execute a file or library element, at least one read permission must be set for them. The user must also have read permission in order to open a file in write mode (e.g. open with O_WRONLY) or a library element in write mode, but not in overwrite mode (e.g. open with O_WRONLY without O_TRUNC). Read permission may not be withdrawn from the user if the object is protected by a guard.
If a user is to be permitted to read, write or execute a file or a library element, the relevant access may not be protected by a password.
To permit write access to a file or library element or to permit it to be deleted, this object may not be protected by an expiration date (EXPIRATION-DATE) which is later than the current dates.
For each access to library elements, to their properties or to the directory of a library a user requires at least read permission for the library.