View previous topic :: View next topic
|
Author |
Message |
Nenad
New User
Joined: 06 Nov 2009 Posts: 9 Location: Croatia
|
|
|
|
Hello,
is there a way to set the RACF security in such way that a user can access USS files only by executing the BPXBATCH utility in JCL?
I.e. the user should have no other options to access/change USS files ...
Regards, Nenad |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello,
If a user has permission to update some file, why does the update need to be via BPXBATCH? |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
|
|
|
|
Why not take the easy way out and just not give the user an OMVS segment? Without an OMVS segment they're not going to be updating any USS files.
Considering there are TSO commands (such as OGET, OPUT, OCOPY) plus any job can reference a PATH in its JCL, I really think you are not going to have any luck attempting to restrict USS to just BPXBATCH. |
|
Back to top |
|
|
Nenad
New User
Joined: 06 Nov 2009 Posts: 9 Location: Croatia
|
|
|
|
The problem is that we have several users that must be able to execute java applications via BPXBATCH, but they shouldn't be able to login to shell and manually change the outputs of those applications afterward.
This was the internal revision request ....
Regards, Nenad |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
|
|
|
|
If they have access to Java via BPXBATCH, then they have to have an OMVS segment. In which case I know of no way to prevent them from logging on to OMVS as well. And once they are in OMVS, since they have to have access to the directories / files anyway, you won't be able to prevent them from accessing the directories and files.
If your site has a support contract with IBM that allows questions (not all support contracts do), you could open a PMR with IBM to address the issue for sure. Otherwise, I think your answer is that what you want to do cannot be done. |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello,
Does USS support the "sticky bit"?
Once upon a time, when i was the sysadmin/dba for several unix systems, the sticky bit was used to run certain executables with the permissions of the executable rather than the user. This was how our database product allowed updates to tables/tablespaces via the db software and not via some other executable or script.
Possibly there could be a copy of BXPBATCH with a different name for this?
And i may be talking about something that cannot be implemented in omvs/uss. . . |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
|
|
|
|
Dick: the sticky bit exists in Unix System Services but I don't think it is used the same way. For a directory, the sticky bit means only the owner (of the directory or the specific file) or a superuser can rename or delete files in the directory. For a file, the sticky bit indicates that the executable should be searched for in the STEPLIB, link pack area, and linklist concatenation. That may imply the same thing -- I haven't used the sticky bit enough to be sure (we had to set it some for Lotus Notes but that's been quite a while). |
|
Back to top |
|
|
Nenad
New User
Joined: 06 Nov 2009 Posts: 9 Location: Croatia
|
|
|
|
Hello,
I checked the sticky bit in USS and it doesn't provide needed functionality. Meanwhile we asked IBM as suggested and they suggested using a surrogate user for executing BPXBATCH jobs and permit only the surrogate user to access output files in USS ( CHMOD). We will likely follow that approach.
Regards, Nenad |
|
Back to top |
|
|
dbordon
New User
Joined: 25 Jan 2007 Posts: 20 Location: Argentina
|
|
|
|
//MYTEST11 JOB (blablabla),'myself',NOTIFY=&SYSUID,
// CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
//*
//BATOMVS EXEC PGM=BPXBATCH,PARM='pgm su admin'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD DUMMY
//*
I would like to do the same thing, i use to have UID=0. RACF admin supress that permission. Now i cannot copy pax PTFs into a OMVS directory to later unpack them and receive it.
RACF admin says that if i submit SU command should grant me someking of temporary access becuase we cannot have UID=0 per security policies.
Submitting that job i receive the following output:
BPXM047I BPXBATCH FAILED BECAUSE SPAWN (BPX1SPN) OF
su FAILED WITH RETURN CODE
00000081 REASON CODE 053B006C.
Appears to not understand SU (swicht user command) |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello,
Suggest you tell your manager that your access permission has been changed preventing you from doing something needed.
Between the manager and the security people, a solution will be found or this will have to be assigned to someone who can run the process. . . |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
|
|
|
|
The system understood your command, but probably was not able to invoke the spawned process. From the Unix System Services Commands manual:
Quote: |
Because su starts a new interactive shell, it should not be used from a batch interface such as BPXBATCH, unless you provide the commands to be executed under superuser via stdin to the su command. |
I'd guess either your BPX_BATCH_SPAWN or BPX_SHAREAS environment variables are not set to allow your shell script to run in the same address space, which could cause errors. |
|
Back to top |
|
|
dbordon
New User
Joined: 25 Jan 2007 Posts: 20 Location: Argentina
|
|
|
|
Ok, this is what i did to resolve my problem.
Execute via BPXBATCH a dataset of mine which execute a file inside OMVS that submit the copy comand to copy ptf into omvs.
In another step i unzip the ptfs.
Thanks for your help and sorry that my response tooked me so long. |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Good to hear you have a resolution - thank you for the update
d |
|
Back to top |
|
|
|