T 5.122 Misuse of RACF attributes in z/OS

In the z/OS security system RACF, the attributes SPECIAL, OPERATIONS, and AUDITOR have special, high level authorisations.

SPECIAL attribute

The ID with the SPECIAL attribute is necessary for the administration of the RACF security system. The owner of this attribute can change settings in the RACF. This attribute gives the users, for instance, access to system resources and files. The owner of the authorisation can grant him-/herself rights to all resources and files in the system. He/she can also assign the attributes listed below to all user IDs.

A possible vulnerability is in the use of system monitors that, using program routines with a high level of authorisation can give their own ID the SPECIAL attribute. Users with access to the system monitors can exploit this situation, given appropriate RACF rights, to give their own ID higher level access rights.

OPERATIONS attribute

The ID with the OPERATIONS attribute is primarily needed for the space management in the z/OS system. It includes the rights for copying, reading, deleting or the addition of files, without the need to have granted an explicit right for the file and the user ID. In principle, this situation makes it possible for a user to misuse the OPERATIONS attribute for unauthorised data access.

AUDITOR attribute

Auditors are intended to be able to detect, track and check security-related events. With this authorisation, changes to RACF definitions are only possible for audit-related definitions (unlike SPECIAL), i.e. higher level authorisation cannot be achieved with this attribute. However, the AUDITOR attribute implies the risk that extensive information on the system, e.g. all RACF settings, could be obtained.

Examples: