z/OS - Group home

#001 Verify setting for SUPERUSER value in BPXPRMxx parmlib member

By Shigeki Kimura posted Wed July 08, 2020 11:07 AM

  
When you upgrade to z/OS V2R4 from V2R2, I would recommend your action in advance to avoid a known problem regarding Binder described below.

Beginning in z/OS V2R3, when RACF is invoked to map UID(0) to a user ID, it returns the same value defined in SUPERUSER keyword of BPXPRMxx parmlib member. This provides a consistent mapping to the user ID owning an object, such as a file or directory, as displayed by the UNIX 'ls -l' command. Prior to z/OS V2R3, use of SUPERUSER user ID was not strict and it was possible to run without it.

As a result of change, user ID value for SUPERUSER must be defined to RACF (or another security product) and have an OMVS segment with a UID of 0. For example, specify OMVS(UID(0)) on RACF ADDUSER command. z/OS MVS Initialization and Tuning Reference manual describes that requirement for many releases, but it has been enforced in z/OS V2R3.
To achieve this, you can define BPXROOT, which is a default SUPERUSER value, or change it to specify something other than BPXROOT if you wish.
ADDUSER BPXROOT DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD

You can use the following commands to see if SUPERUSER specified user ID, for example BPXROOT, satisfies the requirement.
LU BPXROOT OMVS NORACF
SEARCH ALL CLASS(USER) UID(0)
Also, a new Health Check called CHECK(IBMUSS,USS_SUPERUSER) is available in z/OS V2R3 to verify the configuration, and if the requirement is not satisfied, exceptional message will be issued with high severity.
BPXH080E A problem was found with the SUPERUSER value of BPXROOT

If SUPERUSER(BPXROOT) is specified by default while not defined to RACF in z/OS V2R3, Binder will fail when applying PTF UJ01705 (USS APAR OA58641), for example.
IEW2821W DF39 UID 0 NOT PROCESSED. UNIX SYSTEM SERVICES FUNCTION GETPWUID RETURNED REASON CODE 0B4F0800 AND RETURN CODE 000000A3.
It means that RACROUTE EXTRACT request was done against BPXROOT after translating UID 0 to a user ID (BPXROOT) and was failed with RACF RC=08 and RSN=00 (No profile defined).
IEW2278I B352 INVOCATION PARAMETERS - LIST,LET,NCAL,XREF,RENT,REUS,AMODE=31,RMODE=ANY,CASE(MIXED),CALL
IEW2322I 1220 1 INCLUDE SMPWRK3(FSUMXTSM) UJ01705 SEQ # 000007
IEW2322I 1220 2 SETSSI 93500185
IEW2322I 1220 3 SETOPT PARM(PATHMODE(4,7,5,5),UID(0))
IEW2322I 1220 4 ORDER CEESTART
IEW2322I 1220 5 ENTRY CEESTART
IEW2322I 1220 6 ALIAS '../tsmail'
IEW2322I 1220 7 NAME FSUMSTSM(R) MAX ACCEPTABLE RC=00
IEW2821W DF39 UID 0 NOT PROCESSED. UNIX SYSTEM SERVICES FUNCTION GETPWUID RETURNED REASON CODE 0B4F0800 AND RETURN CODE 000000A3.
GIM23911E ** LINK-EDIT PROCESSING FOR SYSMOD UJ01705 FAILED FOR MODULE FSUMXTSM IN LMOD FSUMSTSM IN THE SFSUMLIB LIBRARY. THE RETURN CODE (04) EXCEEDED THE ALLOWABLE VALUE.

Hope it helps you.
Thanks!
0 comments
34 views