- Logical consoles
To get CONSOLE to work in REXX you may have to grant yourself some
authority.
PERMIT CONSOLE CLASS(TSOAUTH) ID(userid) ACCESS(READ)
and maybe
PERMIT OPER CLASS(TSOAUTH) ID(userid) ACCESS(READ)
then
SETROPTS RACLIST(TSOAUTH) REFRESH
to use the RVARY SWITCH command you go one step futher
ALTUSER userid OPERPARM(AUTH(MASTER) LEVEL(ALL) CMDSYS(*) +
MSCOPE(*ALL) ALTGRP(MASTER))
- RVARY Passwords
The master console can respond 'YES' to the prompt. Useful if youdon't know the password. If someone with special was on they could haveissued the SETROPTS RVARYPW command. Remotely you can follow .001 tobe in a position to make yourself a master console.
- %RACFINFO pretty good at showing authority
This nifty rexx code is good at finding what authority a user has.
/****************************REXX***********************************/
/* Source: http://www.xephon.com/arcinframe.php//f002a04 */
/* Modified: Kenneth E Tomiak - use setr list to get active */
/* classes to be used instead of GRINDD. */
/* DOC: To execute this exec, enter the command followed by two */
/* parms (USER INFOALL). The USER should be the RACF userid */
/* of whom information is requested. INFOALL MUST BE EQUAL */
/* to ALL to generate full security information. Otherwise, */
/* set INFOALL to NOT or blank. */
/* *** YOU MUST BE AUTHORIZED TO ISSUE THE SEARCH COMMAND *** */
/* *** YOU MUST BE AUTHORIZED TO ISSUE THE SETR LIST COMMAND */
/****************************REXX***********************************/
arg USER INFOALL
if sysvar(syspref) = "" then
do
address tso "profile prefix("sysvar(sysuid)")"
prfxon = on
end
/******************* RACF User ***********************************/
title1 = " " || USER || " INFORMATION "
say center(title1,75,"*")
say ""
address tso "LISTUSER" USER "CICS DCE DFP EIM",
"KERB LANGUAGE LNOTES NDS NETVIEW",
"OMVS OPERPARM OVM PROXY TSO WORKATTR"
say ""
/******************* RACF User ***********************************/
title1 = "DATASET PROFILE"
say center(title1,75,"*")
say ""
address tso "LISTDSD ALL DATASET('"user".**')"
say ""
/******************* RACF GROUPS ***********************************/
title1 = " GROUPS " || USER || " ADMINISTERS "
say center(title1,75,"*")
say ""
if INFOALL = "ALL" then
do
address tso "SEARCH USER(" USER ") CLASS(GROUP) CLIST('LG ')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " GROUP DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SEARCH USER(" USER ") CLASS(GROUP)"
end
/******************* RACF DATASETS *********************************/
title1 = " DATASETS ACCESSIBLE BY " || USER || " "
say center(title1,75,"*")
say ""
if INFOALL = "ALL" then
do
address tso "SR USER("USER") LIST NOMASK CLIST('LD DA(' ') AUTH')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " DATASET ACCESS DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SR USER("USER") LIST NOMASK"
end
/******************* RACF GENERAL RESOURCES ************************/
call get_active_classes
do gr_x = 1 to grindd.0
record = grindd.gr_x
record = substr(record,1,8)
title1 = " GENERAL RESOURCE "||record||,
" ACCESSIBLE BY "||USER||" "
say center(title1,75,"*")
if INFOALL = "ALL" then
do
say ""
address tso "SR USER("USER") CLASS("record") CLIST('RL ",
record" ' ' AUTH')"
"ALLOC FILE(RACFEXEC)",
"DATASET('"sysvar(SYSPREF)".EXEC.RACF.CLIST') SHR REUSE"
"EXECIO * DISKR RACFEXEC (FINIS STEM RACFCMD."
"FREE FILE(RACFEXEC)"
if (RACFCMD.0 > 1) then,
do
say ""
title1 = " GENERAL RESOURCE "||,
record||" DETAIL INFORMATION "
say center(title1,75,"*")
say ""
address tso "EXEC '"sysvar(SYSPREF)".EXEC.RACF.CLIST'"
say ""
end
end
else
do
address tso "SR USER("USER") CLASS("record")"
end
end
/******************* END OF EXEC ***********************************/
if prfxon = on then
address tso "PROFILE NOPREFIX"
exit
/******************* issue setr list to get active classes *********/
get_active_classes:
quiet = OutTrap("RACF.")
"SETROPTS LIST"
quiet = OutTrap("OFF")
process = "Off"
r_x = 0
do racf_x = 1 to racf.0
setr = racf.racf_x
if (pos("ACTIVE CLASSES =",setr) > 0) then,
do
process = "ON"
parse var setr junk "=" setr
end
if ((process = "ON") & (left(setr,1) >< "")) then,
do
Leave
end
if (process = "Off") then iterate
do while setr >< ""
parse var setr res " " setr
if ((res = "DATASET") | (res = " ") | (res = "")) then,
iterate
if ((res = "USER") | (res = "GROUP")) then,
iterate
r_x = r_x + 1
grindd.r_x = res
end
end
grindd.0 = r_x
return
- Debugging FID errors (UNIX System Services)
How to debug FID errors:
Understand the RACF message, it shows the pathname/filename
you were attempting to act upon. The FID represents the actual
object where you failed. The object could be any sub-directory
in the pathname or the file itself.
Example:
========
What the ftp client saw:
550 Unable to delete /tmp/IPC0010605200601.dat (Rc = 111).
550 is an FTP result code
|== Req action not taken, notfound
|=== file system
|==== permanent negative completion
111 is an Unix System Services reason.
|||= permission is denied
What SYSLOG shows:
/IDAT/tmp = 01E2E8E2F0F0F6000301000000000003
ICH408I USER(CISTINT ) GROUP(INTRFACE) NAME(CIS+ TEST INTERFACE )
/tmp/IPC0010605200601.dat
CL(FSOBJ ) FID(01E2E8E2F0F0F6000301000000000003)
INSUFFICIENT AUTHORITY TO UNLINK
EFFECTIVE UID(0000000111) EFFECTIVE GID(0000778053)
What can you do:
1) First get your hands on IBM's auditid from:
http://www-304.ibm.com/jct03004c/servers/eserver/zseries/zos/... +
.../unix/bpxa1toy.html
2) and place it in your z/OS Unix System Services world:
/u/youruserid/auditid
3) Make sure you can execute it:
chmod o=rwx /u/youruserid/auditid
4) Find the file matching the FID:
/u/youruserid/auditid 01E2E8E2F0F0F6000301000000000003
Hope it turns up.
# /u/ket2812/auditid 01E2E8E2F0F0F6000301000000000003
Audit id 01E2E8E2F0F0F6000301000000000003 not found
#
5) If not, then it isn't the file that is a problem
and you should use the pathname instead:
/u/youruserid/auditid /tmp
a) If it works:
# /u/ket2812/auditid /tmp/IPC0010605200601.dat
/IDAT/tmp/IPC0010605200601.dat
01E2E8E2F0F0F5000406000000000003 /
01E2E8E2F0F0F5000C1D000000000003 /IDAT
01E2E8E2F0F0F6000301000000000003 /IDAT/tmp <==== This one matches
#
Now scroll down through the entries until you find the
FID. On the right is the sub-directory where you ran into trouble.
b) When it fails:
# /u/ket2812/auditid /tmp/sombogusdir/filetofind
Syntax: auditid
or auditid <32>
Keep removing the last sub-diretory name until it does work.
At that point you which sub-directories you are missing.
# /u/ket2812/auditid /tmp/sombogusdir/filetofind
# /u/ket2812/auditid /tmp/sombogusdir
# /u/ket2812/auditid /tmp
6) Now you list one level up and check the permission bits:
ls -l /
lrwxrwxrwx 1 OMVSKERN OMVSGRP 12 Dec 10 2002 /tmp -> $SYSNAME/t
|||||||= First GROUP found matching GUID
||||||||========= First USERID found matching UID
|||= Other (-r,-w,-x|s)
|||==== Group (-r,-w,-x|s)
|||======= Owner (-r,-w,-x|s)
|========== Object type (L,D,F)
r=read
w=write
x=execute
s=set-on-execute
7) If this is a Link then you need to list one leve up from
the truename as shown in the output of the auditid:
# /u/ket2812/auditid /IDAT/tmp
/IDAT/tmp <== truename
01E2E8E2F0F0F5000406000000000003 /
01E2E8E2F0F0F5000C1D000000000003 /IDAT
01E2E8E2F0F0F6000301000000000003 /IDAT/tmp
# ls -l /IDAT
drwxrwxrwt 7 OMVSKERN OMVSGRP 36864 Jan 29 10:24 tmp
|= Other
t = execute and sticky bit is on
T = Sticky bit is on
x = execute bit is on
8) If the sticky bit is on then only the file OWNER, directory
OWNER and superuser can delete the file.
9) Try using a directory without the sticky bit on or in a directory
where the userid is the OWNER or belongs to the GROUP.
- ICKDSF profiles
CLASS(FACILITY)
//*
//STEP001 EXEC PGM=IKJEFT1B,PARM='',
// REGION=18M,TIME=1400
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* LIST IT FIRST. */
/* */
RLIST FACILITY STGADMIN.ICK.**
/* */
/* protect ANALYZE */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.ANALYZE -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.ANALYZE' ID(MYGRP) ACCESS(READ)
/* */
/* protect BUILDIX */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.BUILDIX -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.BUILDIX' ID(MYGRP) ACCESS(READ)
/* */
/* protect BUILDIX */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.BUILDIX -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.CONTROL' ID(MYGRP) ACCESS(READ)
/* */
/* protect CONTROL */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.CONTROL -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.CONTROL' ID(MYGRP) ACCESS(READ)
/* */
/* protect FLASHCOPY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.FLASHCPY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.FLASHCPY' ID(MYGRP) ACCESS(READ)
/* */
/* protect INIT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.INIT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.INIT' ID(MYGRP) ACCESS(READ)
/* */
/* protect INSPECT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.INSPECT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.INSPECT' ID(MYGRP) ACCESS(READ)
/* */
/* protect IODELAY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.IODELAY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.IODELAY' ID(MYGRP) ACCESS(READ)
/* */
/* protect PPRCOPY */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.PPRCOPY -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.PPRCOPY' ID(MYGRP) ACCESS(READ)
/* */
/* protect REFORMAT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.REFORMAT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.REFORMAT' ID(MYGRP) ACCESS(READ)
/* */
/* protect REVAL */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.REVAL -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.REVAL' ID(MYGRP) ACCESS(READ)
/* */
/* protect TRKFMT */
/* */
RDEFINE FACILITY -
STGADMIN.ICK.TRKFMT -
UACC(NONE) -
OWNER(SYS1)
/* */
/* Give the group any additional access */
/* OR */
/* connect the users to other groups */
/* */
PERMIT 'STGADMIN.ICK.TRKFMT' ID(MYGRP) ACCESS(READ)
/* */
/* REFRESH THE FACILITY CLASS, IT IS EXPECTED TO BE RACLISTED. */
/* */
SETROPTS REFRESH RACLIST(FACILITY)
/*
//
- RDEFINE PROGRAM
This example restricts access to the tape initialization utility.
x) RDEFINE PROGRAM IEHINITT ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(NONE)
x) PERMIT IEHINITT CLASS(PROGRAM) ID(userid/group) ACCESS(READ)
x) SETROPTS WHEN(PROGRAM) REFRESH
[Omit REFRESH if you did not have this option active previously]
- Add a userid, alias, and OMVS pieces
//*
//* ADD RACF USERID WITH TSO AND OMVS SEGMENTS
//*
//TSORACF EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DISP=SHR,DSN=SYS1.UADS
//SYSLBC DD DISP=SHR,DSN=SYS1.BRODCAST
//SYSTSIN DD *
AU &UCID NAME('&USERNAME') DFLTGRP(&GRP) +
PASSWORD(&UCID) OWNER(&GRP) UACC(NONE) +
TSO(ACCTNUM(ACCT#) PROC(ISPFPROC) JOBCLASS(A) MSGCLASS(X) +
UNIT(SYSALLDA) +
HOLDCLASS(X) SYSOUTCLASS(X) SIZE(4048) MAXSIZE(0)) +
OMVS(HOME('/u/&LCID') PROGRAM('/bin/sh') UID(&UID))
AD '&UCID..*' OWNER(&UCID) UACC(NONE) GENERIC
PERMIT ACCT# CLASS(ACCTNUM) ACCESS(READ) ID(&UCID)
PERMIT ISPFPROC CLASS(TSOPROC) ACCESS(READ) ID(&UCID)
PERMIT DBSPROC CLASS(TSOPROC) ACCESS(READ) ID(&UCID)
SETROPTS REFRESH RACLIST(TSOPROC)
)SEL &SUPERU = Y
PERMIT BPX.SUPERUSER CLASS(FACILITY) ACCESS(READ) ID(&UCID)
SETROPTS REFRESH RACLIST(FACILITY)
)ENDSEL
PERMIT JCL CLASS(TSOAUTH) ID(&UCID)
LU &UCID TSO OMVS
LD DA('&UCID..*') ALL
/*
//* CREATE ALIAS
//*
//ALIAS EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DEFINE ALIAS (NAME(&UCID) RELATE(USERCAT.TSOUSER))
/*
//* ALLOCATE HFS DATA SET
//*
//ALCHFS EXEC PGM=IEFBR14
//&UCID DD DISP=(NEW,CATLG),DSN=HFS.U.&UCID,
// UNIT=3390,VOL=SER=HFSP07,LIKE=HFS.U.IBMUSER,
// SPACE=(TRK,(60,30,0)),STORCLAS=HFS
//*
//* DO UNIX WORK FROM TSO
//*
//MOUNT EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSPROC DD DISP=SHR,DSN=SYS1.SBPXEXEC
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
oshell ls /u/&lcid
oshell chmod 755 /u/&lcid
oshell chown &lcid:&grp /u/&lcid
/*
//*
//UNMNT EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M
//SYSPROC DD DISP=SHR,DSN=SYS1.SBPXEXEC
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSTSIN DD *
UNMOUNT FILESYSTEM('HFS.U.&UCID') IMMEDIATE
/*
//
沒有留言:
張貼留言