Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Enabling access via BPXBATCH only ?

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
Nenad

New User


Joined: 06 Nov 2009
Posts: 9
Location: Croatia

PostPosted: Mon Jul 26, 2010 5:27 pm    Post subject: Enabling access via BPXBATCH only ?
Reply with quote

Hello,
is there a way to set the RACF security in such way that a user can access USS files only by executing the BPXBATCH utility in JCL?
I.e. the user should have no other options to access/change USS files ...

Regards, Nenad
Back to top
View user's profile Send private message

dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Mon Jul 26, 2010 8:01 pm    Post subject:
Reply with quote

Hello,

If a user has permission to update some file, why does the update need to be via BPXBATCH?
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 7908
Location: Bellevue, IA

PostPosted: Mon Jul 26, 2010 8:12 pm    Post subject:
Reply with quote

Why not take the easy way out and just not give the user an OMVS segment? Without an OMVS segment they're not going to be updating any USS files.

Considering there are TSO commands (such as OGET, OPUT, OCOPY) plus any job can reference a PATH in its JCL, I really think you are not going to have any luck attempting to restrict USS to just BPXBATCH.
Back to top
View user's profile Send private message
Nenad

New User


Joined: 06 Nov 2009
Posts: 9
Location: Croatia

PostPosted: Tue Jul 27, 2010 12:02 pm    Post subject:
Reply with quote

The problem is that we have several users that must be able to execute java applications via BPXBATCH, but they shouldn't be able to login to shell and manually change the outputs of those applications afterward.

This was the internal revision request ....


Regards, Nenad
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 7908
Location: Bellevue, IA

PostPosted: Tue Jul 27, 2010 3:57 pm    Post subject:
Reply with quote

If they have access to Java via BPXBATCH, then they have to have an OMVS segment. In which case I know of no way to prevent them from logging on to OMVS as well. And once they are in OMVS, since they have to have access to the directories / files anyway, you won't be able to prevent them from accessing the directories and files.

If your site has a support contract with IBM that allows questions (not all support contracts do), you could open a PMR with IBM to address the issue for sure. Otherwise, I think your answer is that what you want to do cannot be done.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Tue Jul 27, 2010 8:39 pm    Post subject:
Reply with quote

Hello,

Does USS support the "sticky bit"?

Once upon a time, when i was the sysadmin/dba for several unix systems, the sticky bit was used to run certain executables with the permissions of the executable rather than the user. This was how our database product allowed updates to tables/tablespaces via the db software and not via some other executable or script.

Possibly there could be a copy of BXPBATCH with a different name for this?

And i may be talking about something that cannot be implemented in omvs/uss. . .
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 7908
Location: Bellevue, IA

PostPosted: Tue Jul 27, 2010 9:59 pm    Post subject:
Reply with quote

Dick: the sticky bit exists in Unix System Services but I don't think it is used the same way. For a directory, the sticky bit means only the owner (of the directory or the specific file) or a superuser can rename or delete files in the directory. For a file, the sticky bit indicates that the executable should be searched for in the STEPLIB, link pack area, and linklist concatenation. That may imply the same thing -- I haven't used the sticky bit enough to be sure (we had to set it some for Lotus Notes but that's been quite a while).
Back to top
View user's profile Send private message
Nenad

New User


Joined: 06 Nov 2009
Posts: 9
Location: Croatia

PostPosted: Wed Jul 28, 2010 5:34 pm    Post subject:
Reply with quote

Hello,

I checked the sticky bit in USS and it doesn't provide needed functionality. Meanwhile we asked IBM as suggested and they suggested using a surrogate user for executing BPXBATCH jobs and permit only the surrogate user to access output files in USS ( CHMOD). We will likely follow that approach.

Regards, Nenad
Back to top
View user's profile Send private message
dbordon

New User


Joined: 25 Jan 2007
Posts: 20
Location: Argentina

PostPosted: Wed Aug 11, 2010 1:25 am    Post subject: Reply to: Enabling access via BPXBATCH only ?
Reply with quote

//MYTEST11 JOB (blablabla),'myself',NOTIFY=&SYSUID,
// CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
//*
//BATOMVS EXEC PGM=BPXBATCH,PARM='pgm su admin'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD DUMMY
//*

I would like to do the same thing, i use to have UID=0. RACF admin supress that permission. Now i cannot copy pax PTFs into a OMVS directory to later unpack them and receive it.
RACF admin says that if i submit SU command should grant me someking of temporary access becuase we cannot have UID=0 per security policies.

Submitting that job i receive the following output:
BPXM047I BPXBATCH FAILED BECAUSE SPAWN (BPX1SPN) OF
su FAILED WITH RETURN CODE
00000081 REASON CODE 053B006C.

Appears to not understand SU (swicht user command)
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed Aug 11, 2010 2:47 am    Post subject:
Reply with quote

Hello,

Suggest you tell your manager that your access permission has been changed preventing you from doing something needed.

Between the manager and the security people, a solution will be found or this will have to be assigned to someone who can run the process. . .
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 7908
Location: Bellevue, IA

PostPosted: Wed Aug 11, 2010 4:16 am    Post subject:
Reply with quote

The system understood your command, but probably was not able to invoke the spawned process. From the Unix System Services Commands manual:
Quote:
Because su starts a new interactive shell, it should not be used from a batch interface such as BPXBATCH, unless you provide the commands to be executed under superuser via stdin to the su command.
I'd guess either your BPX_BATCH_SPAWN or BPX_SHAREAS environment variables are not set to allow your shell script to run in the same address space, which could cause errors.
Back to top
View user's profile Send private message
dbordon

New User


Joined: 25 Jan 2007
Posts: 20
Location: Argentina

PostPosted: Thu Aug 26, 2010 8:48 pm    Post subject: Reply to: Enabling access via BPXBATCH only ?
Reply with quote

Ok, this is what i did to resolve my problem.

Execute via BPXBATCH a dataset of mine which execute a file inside OMVS that submit the copy comand to copy ptf into omvs.
In another step i unzip the ptfs.


Thanks for your help and sorry that my response tooked me so long.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Thu Aug 26, 2010 11:22 pm    Post subject: Reply to: Enabling access via BPXBATCH only ?
Reply with quote

Good to hear you have a resolution - thank you for the update icon_smile.gif

d
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts IMS DC screen Access sivasaras IMS DB/DC 3 Fri Nov 18, 2016 6:38 pm
No new posts Access SQLCA fields inside a stored p... gangapd DB2 4 Thu Oct 27, 2016 10:20 am
No new posts RACF profile access vasanthz All Other Mainframe Topics 11 Fri Sep 23, 2016 5:51 am
No new posts How to perform Digest Access Authenti... vasanthz All Other Mainframe Topics 0 Tue Mar 15, 2016 4:47 pm
No new posts Database access from COBOL amitmahalkar DB2 1 Wed Jan 27, 2016 11:33 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us