See II12136.TXT in this directory
Sample obeyfile members:
------------------------
DSN=SYS1.TCPPARMS(PKTTR@ON)
PKTTRACE ON LINKNAME=* IP=146.203.1.20 DESTPORT=25 SRCPORT=* PROT=* FULL
DSN=SYS1.TCPPARMS(PKTTR@ON)
PKTTRACE OFF LINKNAME=* IP=146.203.1.20
Sample writer proc:
-------------------
DSN=SYS1.PROCLIB(CTWRTR)
//CTWRTR PROC DSN=SYS1.TCPIP.CTRACE
//IEFPROC EXEC PGM=ITTTRCWR,REGION=5M,TIME=1200
//TRCOUT01 DD DISP=(NEW,CATLG),DSN=&DSN,
// UNIT=SYSALLDA,SPACE=(CYL,(50),,CONTIG)
//SYSPRINT DD SYSOUT=V
Sample Trace Formatter JCL:
---------------------------
//STEP001 EXEC PGM=IKJEFT01,REGION=6M,TIME=1200,DYNAMNBR=200
//STEPLIB DD DISP=SHR,DSN=SYS1.TCPIP.SEZALINK
// DD DISP=SHR,DSN=SYS1.TCPIP.SEZAMIG
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//IPCSDDIR DD DISP=SHR,DSN=&SYSUID..DDIR
//IPCSTOC DD SYSOUT=*
//IPCSPRNT DD SYSOUT=*
//DUMP DD DISP=SHR,DSN=&sysuid..ctrace.output
//SYSTSIN DD *
IPCS
DROPDUMP DDNAME(DUMP)
SETDEF DSNAME('&SYSUID..ctrace.output') NOCONFIRM
CTRACE COMP(SYSTCPDA) FULL
END
/*
//
II12014
-------
Packet trace and Ctrace can be written to either an
external writer or to the TCPIP dataspace(TCPIPDS1) - the
dataspace is the default.
If Dataspace (INTERNAL) tracing is desired proceed to the
Dataspace SECTION 5.
If external writer is desired proceed to External writer
***** SECTION 1 ** STARTING WRITER STEP *****************
To have packet trace or Ctrace written to an
external writer dataset, a writer proc first needs to be
created. This proc either needs to be in SYS1.PROCLIB or
in a library concatenated in the MASTER JCL.
Sample Writer proc :
CTWTR1 PROC
//IEFPROC EXEC PGM=ITTTRCWR
//TRCOUT01 DD DSNAME=IBMUSER.CTRACE1,VOL=SER=xxxxxx,
// UNIT=xxxxx,SPACE=(CYL,(xxx),,CONTIG),
// DISP=(NEW,CATLG)
//SYSPRINT DD SYSOUT=*
1.1) The following step starts the external writer to the
CTRACE Component in order for it to be used for Tracing if
you do not want to have the traces written internally to
the TCPIP dataspace(TCPIPDS1). This starting of the writer
can be used for multiple components, for instance packet
trace(SYSTCPDA) and ctrace (SYSTCPIP).
TRACE CT,WTRSTART=CTWTR1
Once the writer has been successfully attached you can
proceed with starting the trace(s) you need to run.
If you want to run a CTRACE and PACKET trace using the
same writer proceed to the Multiple Trace Step. If Packet
alone is required proceed to Packet Trace Step. If Ctrace
(SYSTCPIP) is required proceed to CTRACE STEP.
***** SECTION 2 ** PKTTRACE STEP (component SYSTCPDA) ***
2.0) The following step starts the external writer to the
CTRACE Component in order for it to be used for Tracing if
you do not want to have the traces written internally to
the TCPIP dataspace(TCPIPDS1). This starting of the writer
can be used for multiple components, for instance packet
trace(SYSTCPDA) and ctrace (SYSTCPIP).
TRACE CT,WTRSTART=CTWTR1
Once the writer has been successfully attached you can
proceed with starting the trace(s) you need to run.
If you want to run a CTRACE and PACKET trace using the
same writer proceed to the Multiple Trace Step. If Packet
alone is required proceed to Packet Trace Step. If Ctrace
(SYSTCPIP) is required proceed to CTRACE STEP.
2.1) This step starts Ctrace and gives it a component to use
for tracing. The Required reply attaches the external
writer that was previously started so it can be used to
write the Packet trace records.
TRACE CT,ON,COMP=SYSTCPDA,SUB=(tcpipprocname)
R xx,WTR=CTWTR1,END
2.2) Verify that Trace started successfully:
D TRACE,COMP=SYSTCPDA,SUB=(tcpipprocname)
2.3) This step starts the packet trace processing in TCPIP.
Without this step packets can not be captured by The
ctrace component.
V TCPIP,tcpipprocname,PKT,ON,IP=xx.xx.xx.xx
or
v TCPIP,tcpipprocname,OBEYFILE,dsname(member)
2.4) recreate problem .....
2.5) stopping Packet trace:
V TCPIP,tcpipprocname,PKT,OFF
2.6) Disconnect the external writer:
TRACE CT,ON,COMP=SYSTCPDA,SUB=(tcpipprocname)
R xx,WTR=DISCONNECT,END
2.7) stop external writer:
TRACE CT,OFF,COMP=SYSTCPDA,SUB=(tcpipprocname)
TRACE CT,WTRSTOP=CTWTR1,FLUSH
***** SECTION 3 ** CTRACE STEP (component SYSTCPIP) ****
3.1) This step starts Ctrace and gives it a component to use
for tracing. The Required reply attaches the external
writer that was previously started so it can be used to
write the CTRACE records.
TRACE CT,ON,COMP=SYSTCPIP,SUB=(tcpipprocname)
R xx,WTR=CTWTR1,OPTIONS=(XXXX,XXXX),END
Note: For certain problems you should use jobname of the
application when running ctrace(systcpip). Trace Options
that should use jobname are (PFS,SOCKET,ENGINE,TCP)
Valid Options are contained in Parmlib member CTIEZB00
3.2) Verify Trace was started successfully:
D TRACE COMP=SYSTCPIP,SUB=(tcpiprocname)
3.3) Recreate problem........
3.4) Stop Ctrace comp(systcpip) and disconnect writer
TRACE CT,ON,COMP=SYSTCPIP,SUB=(tcpipprocname)
R xx,WTR=DISCONNECT,END
3.5) Stop ctrace writer
TRACE CT,OFF,COMP=SYSTCPIP,SUB=(tcpipprocname)
TRACE CT,WTRSTOP=CTWTR1,FLUSH
***** SECTION 4 ** MULTIPLE TRACE STEP ******************
4.1) Start traces
TRACE CT,ON,COMP=SYSTCPIP,SUB=(tcpipprocname)
R xx,WTR=CTWTR1,OPTIONS=(XXXX,XXXX),END
TRACE CT,ON,COMP=SYSTCPDA,SUB=(tcpipprocname)
R xx,WTR=CTWTR1,END
NOTE: You may use multiple writers (i.e. one for SYSTCPIP
and one for SYSTCPDA)
4.2) Verify that Trace started successfully:
D TRACE,COMP=SYSTCPDA,SUB=(tcpipprocname)
D TRACE COMP=SYSTCPIP,SUB=(tcpiprocname)
4.3) This step starts the packet trace processing in TCPIP.
Without this step packets can not be captured by The
ctrace component.
V TCPIP,tcpipprocname,PKT,ON,IP=xx.xx.xx.xx
4.4) Recreate failure............
4.5) Stop traces and writers:
stopping Packet trace:
V TCPIP,tcpipprocname,PKT,OFF
4.6) Disconnect the external writer:
TRACE CT,ON,COMP=SYSTCPDA,SUB=(tcpipprocname)
R xx,WTR=DISCONNECT,END
4.7) stop external writer:
TRACE CT,OFF,COMP=SYSTCPDA,SUB=(tcpipprocname)
4.8) Stop Ctrace comp(systcpip) and disconnect writer
TRACE CT,ON,COMP=SYSTCPIP,SUB=(tcpipprocname)
R xx,WTR=DISCONNECT,END
4.9) Stop ctrace writer
TRACE CT,OFF,COMP=SYSTCPIP,SUB=(tcpipprocname)
TRACE CT,WTRSTOP=CTWTR1,FLUSH
***** SECTION 5 ** DATASPACE SECTION ********************
The first step to collecting traces to the dataspace is to
insure that the bufsize in CTIEZB00 in parmlib is set to
at least 8Mb. It may need to be set highter depending on
the amount of trace data desired, but 8mb should be a good
starting point! TCPIP will need to be restarted for the
change in bufsize to take affect.
The starting writer step can be skipped as it will not be
needed when writing to the Dataspace. The trace data will
be captured via an MVS Dump Comm command that will dump
the TCPIP Dataspace named TCPIPDS1. Be aware that this
method may result in lost trace data as the possiblity of
wrapping is very possible. The dump command should be
issued very soon after the problem happens or the dumps
should be collected via a trap or slip issued given by the
support center.
5.1) Starting Ctrace comp(SYSTCPIP):
TRACE CT,ON,COMP=SYSTCPIP,SUB=(tcpipprocname)
R XX,OPTIONS=(XXX,XXX),END
5.2) recreate problem.....
5.3) Stop Ctrace comp(SYSTCPIP):
TRACE CT,OFF,COMP=SYSTCPIP,SUB=(tcpipprocname)
5.4) Starting packet trace comp(SYSTCPDA):
TRACE CT,ON,COMP=SYSTCPDA,SUB=(tcpipprocname)
5.5) This step starts the packet trace processing in TCPIP.
Without this step packets can not be captured by The
ctrace component.
V TCPIP,tcpipprocname,PKT,ON,IP=xx.xx.xx.xx
5.6) recreate problem...............
5.7) Stop Packet trace comp(SYSTCPDA):
V TCPIP,tcpipprocname,PKT,OFF,IP=xx.xx.xx.xx
TRACE CT,OFF,COMP=SYSTCPDA,SUB=(tcpipprocname)
5.8) Collect Dump of TCPIP Dataspace and TCPIP address space:
Issue the following MVS command from the system console:
DUMP COMM=('text')
R xx,JOBNAME=(tcpipprocname),DSPNAME=('tcpipprocname'.*),
SDATA=(ALLNUC,CSA,LPA,LSQA,RGN,SWA,SQA,TRT),END
****** SECTION 6 ** PKTTRACE PARMS **********************
There are 2 ways add parms to the SYSTCPDA CTRACE
(PKTTRACE). The 1st way will AND the parms together and
the 2nd way will OR the parms together:
1) V TCPIP,tcpipproc,PKT,SRCP=21,DEST=1236
In this example only packets with source port=21 *and*
destination port=1236
2) V TCPIP,tcpipproc,PKT,SRCP=21
V TCPIP,tcpipproc,PKT,DEST=1236
Note! 2 VARY commands
In this example packets with a source port=21,
regardless of dest port, *and* packets with dest
port=1236, regardless of source port.
2011年2月19日 星期六
Capturing PKTTRACE output for review
RACF relate document
- Logical consoles
To get CONSOLE to work in REXX you may have to grant yourself some
authority.
PERMIT CONSOLE CLASS(TSOAUTH) ID(userid) ACCESS(READ)
and maybe
PERMIT OPER CLASS(TSOAUTH) ID(userid) ACCESS(READ)
then
SETROPTS RACLIST(TSOAUTH) REFRESH
to use the RVARY SWITCH command you go one step futher
ALTUSER userid OPERPARM(AUTH(MASTER) LEVEL(ALL) CMDSYS(*) +
MSCOPE(*ALL) ALTGRP(MASTER))
- RVARY Passwords
The master console can respond 'YES' to the prompt. Useful if youdon't know the password. If someone with special was on they could haveissued the SETROPTS RVARYPW command. Remotely you can follow .001 tobe in a position to make yourself a master console.- %RACFINFO pretty good at showing authority
This nifty rexx code is good at finding what authority a user has.
/****************************REXX***********************************/
/* Source: http://www.xephon.com/arcinframe.php//f002a04 */
/* Modified: Kenneth E Tomiak - use setr list to get active */
/* classes to be used instead of GRINDD. */
/* DOC: To execute this exec, enter the command followed by two */
/* parms (USER INFOALL). The USER should be the RACF userid */
/* of whom information is requested. INFOALL MUST BE EQUAL */
/* to ALL to generate full security information. Otherwise, */
/* set INFOALL to NOT or blank. */
/* *** YOU MUST BE AUTHORIZED TO ISSUE THE SEARCH COMMAND *** */
/* *** YOU MUST BE AUTHORIZED TO ISSUE THE SETR LIST COMMAND */
/****************************REXX***********************************/
arg USER INFOALL
if sysvar(syspref) = "" then
do
address tso "profile prefix("sysvar(sysuid)")"
prfxon = on
end
/******************* RACF User ***********************************/
title1 = " " || USER || " INFORMATION "
say center(title1,75,"*")
say ""
address tso "LISTUSER" USER "CICS DCE DFP EIM",
"KERB LANGUAGE LNOTES NDS NETVIEW",
"OMVS OPERPARM OVM PROXY TSO WORKATTR"
say ""
/******************* RACF User ***********************************/
title1 = "DATASET PROFILE"
say center(title1,75,"*")
say ""
address tso "LISTDSD ALL DATASET('"user".**')"
say ""
/******************* RACF GROUPS ***********************************/
title1 = " GROUPS " || USER || " ADMINISTERS "
say center(title1,75,"*")
say ""
if INFOALL = "ALL" then
do
address tso "SEARCH USER(" USER ") CLASS(GROUP) CLIST('LG ')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " GROUP DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SEARCH USER(" USER ") CLASS(GROUP)"
end
/******************* RACF DATASETS *********************************/
title1 = " DATASETS ACCESSIBLE BY " || USER || " "
say center(title1,75,"*")
say ""
if INFOALL = "ALL" then
do
address tso "SR USER("USER") LIST NOMASK CLIST('LD DA(' ') AUTH')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " DATASET ACCESS DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SR USER("USER") LIST NOMASK"
end
/******************* RACF GENERAL RESOURCES ************************/
call get_active_classes
do gr_x = 1 to grindd.0
record = grindd.gr_x
record = substr(record,1,8)
title1 = " GENERAL RESOURCE "||record||,
" ACCESSIBLE BY "||USER||" "
say center(title1,75,"*")
if INFOALL = "ALL" then
do
say ""
address tso "SR USER("USER") CLASS("record") CLIST('RL ",
record" ' ' AUTH')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " GENERAL RESOURCE "||,
record||" DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SR USER("USER") CLASS("record")"
end
end
/******************* END OF EXEC ***********************************/
if prfxon = on then
address tso "PROFILE NOPREFIX"
exit
/******************* issue setr list to get active classes *********/
get_active_classes:
quiet = OutTrap("RACF.")
"SETROPTS LIST"
quiet = OutTrap("OFF")
process = "Off"
r_x = 0
do racf_x = 1 to racf.0
setr = racf.racf_x
if (pos("ACTIVE CLASSES =",setr) > 0) then,
do
process = "ON"
parse var setr junk "=" setr
end
if ((process = "ON") & (left(setr,1) >< "")) then,
do
Leave
end
if (process = "Off") then iterate
do while setr >< ""
parse var setr res " " setr
if ((res = "DATASET") | (res = " ") | (res = "")) then,
iterate
if ((res = "USER") | (res = "GROUP")) then,
iterate
r_x = r_x + 1
grindd.r_x = res
end
end
grindd.0 = r_x
return
- Debugging FID errors (UNIX System Services)
How to debug FID errors:
Understand the RACF message, it shows the pathname/filename
you were attempting to act upon. The FID represents the actual
object where you failed. The object could be any sub-directory
in the pathname or the file itself.
Example:
========
What the ftp client saw:
550 Unable to delete /tmp/IPC0010605200601.dat (Rc = 111).
550 is an FTP result code
|== Req action not taken, notfound
|=== file system
|==== permanent negative completion
111 is an Unix System Services reason.
|||= permission is denied
What SYSLOG shows:
/IDAT/tmp = 01E2E8E2F0F0F6000301000000000003
ICH408I USER(CISTINT ) GROUP(INTRFACE) NAME(CIS+ TEST INTERFACE )
/tmp/IPC0010605200601.dat
CL(FSOBJ ) FID(01E2E8E2F0F0F6000301000000000003)
INSUFFICIENT AUTHORITY TO UNLINK
EFFECTIVE UID(0000000111) EFFECTIVE GID(0000778053)
What can you do:
1) First get your hands on IBM's auditid from:
http://www-304.ibm.com/jct03004c/servers/eserver/zseries/zos/... +
.../unix/bpxa1toy.html
2) and place it in your z/OS Unix System Services world:
/u/youruserid/auditid
3) Make sure you can execute it:
chmod o=rwx /u/youruserid/auditid
4) Find the file matching the FID:
/u/youruserid/auditid 01E2E8E2F0F0F6000301000000000003
Hope it turns up.
# /u/ket2812/auditid 01E2E8E2F0F0F6000301000000000003
Audit id 01E2E8E2F0F0F6000301000000000003 not found
#
5) If not, then it isn't the file that is a problem
and you should use the pathname instead:
/u/youruserid/auditid /tmp
a) If it works:
# /u/ket2812/auditid /tmp/IPC0010605200601.dat
/IDAT/tmp/IPC0010605200601.dat
01E2E8E2F0F0F5000406000000000003 /
01E2E8E2F0F0F5000C1D000000000003 /IDAT
01E2E8E2F0F0F6000301000000000003 /IDAT/tmp <==== This one matches
#
Now scroll down through the entries until you find the
FID. On the right is the sub-directory where you ran into trouble.
b) When it fails:
# /u/ket2812/auditid /tmp/sombogusdir/filetofind
Syntax: auditid
or auditid <32>
Keep removing the last sub-diretory name until it does work.
At that point you which sub-directories you are missing.
# /u/ket2812/auditid /tmp/sombogusdir/filetofind
# /u/ket2812/auditid /tmp/sombogusdir
# /u/ket2812/auditid /tmp
6) Now you list one level up and check the permission bits:
ls -l /
lrwxrwxrwx 1 OMVSKERN OMVSGRP 12 Dec 10 2002 /tmp -> $SYSNAME/t
|||||||= First GROUP found matching GUID
||||||||========= First USERID found matching UID
|||= Other (-r,-w,-x|s)
|||==== Group (-r,-w,-x|s)
|||======= Owner (-r,-w,-x|s)
|========== Object type (L,D,F)
r=read
w=write
x=execute
s=set-on-execute
7) If this is a Link then you need to list one leve up from
the truename as shown in the output of the auditid:
# /u/ket2812/auditid /IDAT/tmp
/IDAT/tmp <== truename
01E2E8E2F0F0F5000406000000000003 /
01E2E8E2F0F0F5000C1D000000000003 /IDAT
01E2E8E2F0F0F6000301000000000003 /IDAT/tmp
# ls -l /IDAT
drwxrwxrwt 7 OMVSKERN OMVSGRP 36864 Jan 29 10:24 tmp
|= Other
t = execute and sticky bit is on
T = Sticky bit is on
x = execute bit is on
8) If the sticky bit is on then only the file OWNER, directory
OWNER and superuser can delete the file.
9) Try using a directory without the sticky bit on or in a directory
where the userid is the OWNER or belongs to the GROUP.
- ICKDSF profiles
CLASS(FACILITY)
//*
//STEP001 EXEC PGM=IKJEFT1B,PARM='',
// REGION=18M,TIME=1400
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* LIST IT FIRST. */
/* */
RLIST FACILITY STGADMIN.ICK.**
/* */
/* protect ANALYZE */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.ANALYZE -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.ANALYZE' ID(MYGRP) ACCESS(READ)
/* */
/* protect BUILDIX */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.BUILDIX -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.BUILDIX' ID(MYGRP) ACCESS(READ)
/* */
/* protect BUILDIX */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.BUILDIX -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.CONTROL' ID(MYGRP) ACCESS(READ)
/* */
/* protect CONTROL */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.CONTROL -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.CONTROL' ID(MYGRP) ACCESS(READ)
/* */
/* protect FLASHCOPY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.FLASHCPY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.FLASHCPY' ID(MYGRP) ACCESS(READ)
/* */
/* protect INIT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.INIT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.INIT' ID(MYGRP) ACCESS(READ)
/* */
/* protect INSPECT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.INSPECT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.INSPECT' ID(MYGRP) ACCESS(READ)
/* */
/* protect IODELAY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.IODELAY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.IODELAY' ID(MYGRP) ACCESS(READ)
/* */
/* protect PPRCOPY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.PPRCOPY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.PPRCOPY' ID(MYGRP) ACCESS(READ)
/* */
/* protect REFORMAT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.REFORMAT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.REFORMAT' ID(MYGRP) ACCESS(READ)
/* */
/* protect REVAL */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.REVAL -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.REVAL' ID(MYGRP) ACCESS(READ)
/* */
/* protect TRKFMT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.TRKFMT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.TRKFMT' ID(MYGRP) ACCESS(READ)
/* */
/* REFRESH THE FACILITY CLASS, IT IS EXPECTED TO BE RACLISTED. */
/* */
SETROPTS REFRESH RACLIST(FACILITY)
/*
//
- RDEFINE PROGRAM
This example restricts access to the tape initialization utility.
x) RDEFINE PROGRAM IEHINITT ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(NONE)
x) PERMIT IEHINITT CLASS(PROGRAM) ID(userid/group) ACCESS(READ)
x) SETROPTS WHEN(PROGRAM) REFRESH
[Omit REFRESH if you did not have this option active previously]
- Add a userid, alias, and OMVS pieces
//*
//* ADD RACF USERID WITH TSO AND OMVS SEGMENTS
//*
//TSORACF EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DISP=SHR,DSN=SYS1.UADS
//SYSLBC DD DISP=SHR,DSN=SYS1.BRODCAST
//SYSTSIN DD *
AU &UCID NAME('&USERNAME') DFLTGRP(&GRP) +
PASSWORD(&UCID) OWNER(&GRP) UACC(NONE) +
TSO(ACCTNUM(ACCT#) PROC(ISPFPROC) JOBCLASS(A) MSGCLASS(X) +
UNIT(SYSALLDA) +
HOLDCLASS(X) SYSOUTCLASS(X) SIZE(4048) MAXSIZE(0)) +
OMVS(HOME('/u/&LCID') PROGRAM('/bin/sh') UID(&UID))
AD '&UCID..*' OWNER(&UCID) UACC(NONE) GENERIC
PERMIT ACCT# CLASS(ACCTNUM) ACCESS(READ) ID(&UCID)
PERMIT ISPFPROC CLASS(TSOPROC) ACCESS(READ) ID(&UCID)
PERMIT DBSPROC CLASS(TSOPROC) ACCESS(READ) ID(&UCID)
SETROPTS REFRESH RACLIST(TSOPROC)
)SEL &SUPERU = Y
PERMIT BPX.SUPERUSER CLASS(FACILITY) ACCESS(READ) ID(&UCID)
SETROPTS REFRESH RACLIST(FACILITY)
)ENDSEL
PERMIT JCL CLASS(TSOAUTH) ID(&UCID)
LU &UCID TSO OMVS
LD DA('&UCID..*') ALL
/*
//* CREATE ALIAS
//*
//ALIAS EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DEFINE ALIAS (NAME(&UCID) RELATE(USERCAT.TSOUSER))
/*
//* ALLOCATE HFS DATA SET
//*
//ALCHFS EXEC PGM=IEFBR14
//&UCID DD DISP=(NEW,CATLG),DSN=HFS.U.&UCID,
// UNIT=3390,VOL=SER=HFSP07,LIKE=HFS.U.IBMUSER,
// SPACE=(TRK,(60,30,0)),STORCLAS=HFS
//*
//* DO UNIX WORK FROM TSO
//*
//MOUNT EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSPROC DD DISP=SHR,DSN=SYS1.SBPXEXEC
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
oshell ls /u/&lcid
oshell chmod 755 /u/&lcid
oshell chown &lcid:&grp /u/&lcid
/*
//*
//UNMNT EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSPROC DD DISP=SHR,DSN=SYS1.SBPXEXEC
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
UNMOUNT FILESYSTEM('HFS.U.&UCID') IMMEDIATE
/*
//
2011年2月13日 星期日
Linux show chinese characters
下面設定方式包括了 Big5 及 UTF-8 兩中編碼方式:
Step1.
當系統的中文編碼使用 Big5 時 , 且 SSH 連線程式 Putty 語系選 Big5 大五碼時
SSH 連線軟體 Putty 設定:
Change Settings >> Appearance >> Cursor appearance >> 改 Underline ( 讓游標不會蓋到中文 )
Change Settings >> Appearance >> Font settings >> Change >> 字型 = 細明體、字集 = CHINESE_BIG5
Change Settings >> Translation >> Character set translation on received data >> 選 User font encoding
若你使用 CSH 方式如下:在 /etc/csh.cshrc 加入下面三行後重開機即可 Show 中文編碼。
#vi etc/csh.cshrc
setenv LC_CTYPE en_US.ISO8859-1
setenv LC_ALL zh_TW.Big5
setenv LANG zh_TW.Big5
使用 BASH 方式如下:在 /etc/profile 中加入下面三行方可 Show 中文編碼。
#vi etc/profile
LC_CTYPE=en_US.ISO8859-1; export LC_CTYPE
LC_CTYPE=zh_TW.Big5; export LC_ALL
LANG=zh_TW.Big5; export LANG
# source /etc/profile # 於 BASH 中重新將 /etc/profile 檔導入免重開機便可立即套用
#date # show 日期也會顯示中文
2005年 1月11日 周二 14時43分36秒 CST
除了終端機環境有中文外我們也希望 Vi 編輯器也能支援中文,因為Vi 對中文 Support 不好所以我們使用 Ports 安裝 Vim 且不裝視窗環境 -DWITHOUT_X11。
# cd /usr/ports/editors/vim
# make -DWITHOUT_X11 install clean
# cd /root
# vi .vimrc # vim 中加入下面設定
set fileencoding=taiwan
set guifontset=8x16,kc15f,-*-16-*-big5-0
set cindent
set enc=taiwan
set fileencoding=taiwan
set hls
set nocompatible
set sw=2
set background=dark
set nomodeline
syntax on
highlight Comment ctermfg=darkcyan
highlight Search term=reverse ctermbg=4 ctermfg=7
# cp /root/.vimrc /home/User # Copy 相同設定檔到 User 目錄下讓 User 也可以使用 Vim 中文環境
Step2.
當系統的中文編碼使用 UTF-8 時 , 且 SSH 連線程式 Putty 語系選 UTF-8 萬國碼時
SSH 連線軟體 Putty 設定:
Change Settings >> Appearance >> Cursor appearance >> 改 Underline ( 讓游標不會蓋到中文 )
Change Settings >> Appearance >> Font settings >> Change >> 字型 = 細明體、字集 = CHINESE_BIG5
Change Settings >> Translation >> Character set translation on received data >> 選 UTF-8
於我的使用環境 BASH 下在 /etc/profile 設定下面三行方可 Show 中文編碼。
# vi etc/profile
LC_CTYPE=en_US.ISO8859-1; export LC_CTYPE
LC_CTYPE=zh_TW.UTF-8; export LC_ALL
LANG=zh_TW.UTF-8; export LANG
# source /etc/profile
# vi .vimrc
set enc=utf-8
set fenc=utf-8
set fileencodings=utf-8,ucs-bom,big5,latin1
set cindent
set hls
set nocompatible
set sw=2
set background=dark
set nomodeline
syntax on
highlight Comment ctermfg=darkcyan
highlight Search term=reverse ctermbg=4 ctermfg=7
Step1.
當系統的中文編碼使用 Big5 時 , 且 SSH 連線程式 Putty 語系選 Big5 大五碼時
SSH 連線軟體 Putty 設定:
Change Settings >> Appearance >> Cursor appearance >> 改 Underline ( 讓游標不會蓋到中文 )
Change Settings >> Appearance >> Font settings >> Change >> 字型 = 細明體、字集 = CHINESE_BIG5
Change Settings >> Translation >> Character set translation on received data >> 選 User font encoding
若你使用 CSH 方式如下:在 /etc/csh.cshrc 加入下面三行後重開機即可 Show 中文編碼。
#vi etc/csh.cshrc
setenv LC_CTYPE en_US.ISO8859-1
setenv LC_ALL zh_TW.Big5
setenv LANG zh_TW.Big5
使用 BASH 方式如下:在 /etc/profile 中加入下面三行方可 Show 中文編碼。
#vi etc/profile
LC_CTYPE=en_US.ISO8859-1; export LC_CTYPE
LC_CTYPE=zh_TW.Big5; export LC_ALL
LANG=zh_TW.Big5; export LANG
# source /etc/profile # 於 BASH 中重新將 /etc/profile 檔導入免重開機便可立即套用
#date # show 日期也會顯示中文
2005年 1月11日 周二 14時43分36秒 CST
除了終端機環境有中文外我們也希望 Vi 編輯器也能支援中文,因為Vi 對中文 Support 不好所以我們使用 Ports 安裝 Vim 且不裝視窗環境 -DWITHOUT_X11。
# cd /usr/ports/editors/vim
# make -DWITHOUT_X11 install clean
# cd /root
# vi .vimrc # vim 中加入下面設定
set fileencoding=taiwan
set guifontset=8x16,kc15f,-*-16-*-big5-0
set cindent
set enc=taiwan
set fileencoding=taiwan
set hls
set nocompatible
set sw=2
set background=dark
set nomodeline
syntax on
highlight Comment ctermfg=darkcyan
highlight Search term=reverse ctermbg=4 ctermfg=7
# cp /root/.vimrc /home/User # Copy 相同設定檔到 User 目錄下讓 User 也可以使用 Vim 中文環境
Step2.
當系統的中文編碼使用 UTF-8 時 , 且 SSH 連線程式 Putty 語系選 UTF-8 萬國碼時
SSH 連線軟體 Putty 設定:
Change Settings >> Appearance >> Cursor appearance >> 改 Underline ( 讓游標不會蓋到中文 )
Change Settings >> Appearance >> Font settings >> Change >> 字型 = 細明體、字集 = CHINESE_BIG5
Change Settings >> Translation >> Character set translation on received data >> 選 UTF-8
於我的使用環境 BASH 下在 /etc/profile 設定下面三行方可 Show 中文編碼。
# vi etc/profile
LC_CTYPE=en_US.ISO8859-1; export LC_CTYPE
LC_CTYPE=zh_TW.UTF-8; export LC_ALL
LANG=zh_TW.UTF-8; export LANG
# source /etc/profile
# vi .vimrc
set enc=utf-8
set fenc=utf-8
set fileencodings=utf-8,ucs-bom,big5,latin1
set cindent
set hls
set nocompatible
set sw=2
set background=dark
set nomodeline
syntax on
highlight Comment ctermfg=darkcyan
highlight Search term=reverse ctermbg=4 ctermfg=7
訂閱:
文章 (Atom)