z/OS UNIX System Services program-controlled files for the ISPF daemon

The ISPF daemon needs UPDATE access to the BPX.SERVER profile to manage the security environment.

Servers with authority to BPX.SERVER must run in a clean, program-controlled environment. This implies that all programs called by the ISPF daemon must also be program-controlled. For z/OS UNIX System Services files, program control is managed by the extattr command. To run this command, you need READ access to BPX.FILEATTR.PROGCTL in the FACILITY class, or be UID(0).
The ISPF daemon server uses RACF's Java shared library (/usr/lib/libIRRRacf.so) as well as a number of IBM® Engineering Workflow Management , programs.
  • extattr +p /usr/lib/libIRRRacf.so
Notes:
  1. The setup might be different if you use a security product other than RACF. Consult the documentation of your security product for more information.
  2. The SMP/E installation of IBM Engineering Workflow Management sets the program-control bit for internal programs, when it is available.
  3. Use the ls -Eog z/OS® Linux command to display the current status of the program-control bit (the file is program controlled if the letter p shows in the second string).
    $ ls -Eog /usr/lib/libIRRRacf.so
-rwxr-xr-x aps- 2 69632 Oct 5 2007 /usr/lib/libIRRRacf.so