Enabling access via BPXBATCH only ?

Nenad · New User Joined: 06 Nov 2009 Posts: 9 Location: Croatia

Hello,
is there a way to set the RACF security in such way that a user can access USS files only by executing the BPXBATCH utility in JCL?
I.e. the user should have no other options to access/change USS files ...

Regards, Nenad

dick scherrer · Posted: Mon Jul 26, 2010 8:01 pm

Hello,

If a user has permission to update some file, why does the update need to be via BPXBATCH?

Robert Sample · Posted: Mon Jul 26, 2010 8:12 pm

Why not take the easy way out and just not give the user an OMVS segment? Without an OMVS segment they're not going to be updating any USS files.

Considering there are TSO commands (such as OGET, OPUT, OCOPY) plus any job can reference a PATH in its JCL, I really think you are not going to have any luck attempting to restrict USS to just BPXBATCH.

Nenad · New User Joined: 06 Nov 2009 Posts: 9 Location: Croatia

The problem is that we have several users that must be able to execute java applications via BPXBATCH, but they shouldn't be able to login to shell and manually change the outputs of those applications afterward.

This was the internal revision request ....

Regards, Nenad

Robert Sample · Posted: Tue Jul 27, 2010 3:57 pm

If they have access to Java via BPXBATCH, then they have to have an OMVS segment. In which case I know of no way to prevent them from logging on to OMVS as well. And once they are in OMVS, since they have to have access to the directories / files anyway, you won't be able to prevent them from accessing the directories and files.

If your site has a support contract with IBM that allows questions (not all support contracts do), you could open a PMR with IBM to address the issue for sure. Otherwise, I think your answer is that what you want to do cannot be done.

dick scherrer · Posted: Tue Jul 27, 2010 8:39 pm

Hello,

Does USS support the "sticky bit"?

Once upon a time, when i was the sysadmin/dba for several unix systems, the sticky bit was used to run certain executables with the permissions of the executable rather than the user. This was how our database product allowed updates to tables/tablespaces via the db software and not via some other executable or script.

Possibly there could be a copy of BXPBATCH with a different name for this?

And i may be talking about something that cannot be implemented in omvs/uss. . .

Robert Sample · Posted: Tue Jul 27, 2010 9:59 pm

Dick: the sticky bit exists in Unix System Services but I don't think it is used the same way. For a directory, the sticky bit means only the owner (of the directory or the specific file) or a superuser can rename or delete files in the directory. For a file, the sticky bit indicates that the executable should be searched for in the STEPLIB, link pack area, and linklist concatenation. That may imply the same thing -- I haven't used the sticky bit enough to be sure (we had to set it some for Lotus Notes but that's been quite a while).

Nenad · New User Joined: 06 Nov 2009 Posts: 9 Location: Croatia

Hello,

I checked the sticky bit in USS and it doesn't provide needed functionality. Meanwhile we asked IBM as suggested and they suggested using a surrogate user for executing BPXBATCH jobs and permit only the surrogate user to access output files in USS ( CHMOD). We will likely follow that approach.

Regards, Nenad

dbordon · New User Joined: 25 Jan 2007 Posts: 20 Location: Argentina

//MYTEST11 JOB (blablabla),'myself',NOTIFY=&SYSUID,
// CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
//*
//BATOMVS EXEC PGM=BPXBATCH,PARM='pgm su admin'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD DUMMY
//*

I would like to do the same thing, i use to have UID=0. RACF admin supress that permission. Now i cannot copy pax PTFs into a OMVS directory to later unpack them and receive it.
RACF admin says that if i submit SU command should grant me someking of temporary access becuase we cannot have UID=0 per security policies.

Submitting that job i receive the following output:
BPXM047I BPXBATCH FAILED BECAUSE SPAWN (BPX1SPN) OF
su FAILED WITH RETURN CODE
00000081 REASON CODE 053B006C.

Appears to not understand SU (swicht user command)

dick scherrer · Posted: Wed Aug 11, 2010 2:47 am

Hello,

Suggest you tell your manager that your access permission has been changed preventing you from doing something needed.

Between the manager and the security people, a solution will be found or this will have to be assigned to someone who can run the process. . .

Robert Sample · Posted: Wed Aug 11, 2010 4:16 am

The system understood your command, but probably was not able to invoke the spawned process. From the Unix System Services Commands manual:

dbordon · New User Joined: 25 Jan 2007 Posts: 20 Location: Argentina

Ok, this is what i did to resolve my problem.

Execute via BPXBATCH a dataset of mine which execute a file inside OMVS that submit the copy comand to copy ptf into omvs.
In another step i unzip the ptfs.

Thanks for your help and sorry that my response tooked me so long.

dick scherrer · Posted: Thu Aug 26, 2010 11:22 pm

Good to hear you have a resolution - thank you for the update

d