UNIX Command Server

The UNIX command server runs under the authority of the user ID that is associated with the job or procedure that is used to start it. If SAF-based security is used, the user ID can be provided with the authority to enable execution of the UNIX command server. If the Resource Access Control Facility (RACF®) program is used to implement SAF-based security on the system, the security for the UNIX command server may be implemented by performing the following tasks:
  • Activate the SAF FACILITY class and define the BPX.DAEMON to it: 
    REDEFINE FACILITY BPX.DAEMON UACC(NONE)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
  • Ensure that the user ID from which the UNIX command server gets its authority has at least READ access to the BPX.DAEMON resource of the FACILITY class as follows, where userid is the user ID: 
    PERMIT BPX.DAEMON CLASS(FACILITY) ID(userid)
       ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
  • Ensure that the user ID that is associated with the UNIX command server job or procedure has the necessary authority by implementing at least one of the following options.
    • Give the user ID permission to execute UNIX command server code and write output files:
      1. Ensure that the user ID is an owner of UNIX command server executable file cnmeunix with execute permission for that file; Or ensure that the user ID is a member of the owner group assigned to UNIX command server executable file cnmeunix and the group has execute permission for that file.
      2. For the UNIX command server executable files cnmechld and cnmework, ensure that the user ID is an owner of the files with execute permission for them; Or ensure that the user ID is a member of the owner group assigned to those files, and the group has execute permission for them; Or ensure that the other permissions for those files include execute permission.
      3. Ensure that the user ID is an owner of the directory and output files, for example, cnmeunix.stdout and cnmeunix.stderr in the directory that are defined in the UNIX command server job or procedure, and has write permission for those items; Or ensure that the user ID is a member of the owner group that is assigned to the directory and output files, and the group has write permission for those items.
      For example, if an owner group name has been set for the applicable z/OS® UNIX files and directories, a command to add the user ID to the owner group may be similar to the following:
      CONNECT user_id GROUP(group_name)
      See z/OS UNIX System Services Command Reference for commands CHMOD, CHOWN, and CHGRP that are used to set permissions and an owner or group owner of files and directories in the z/OS UNIX file system.
    • Give the user ID superuser authority overall or within the context of the UNIX command server job or procedure.
      One method of ensuring that a user ID has superuser authority overall is to define the user ID and assign a zero UID value in the OMVS segment of the user ID profile as follows, where userid is the user ID and group_name is the name of a group that has a group ID (GID) set in the OMVS segment of the profile:
      ADDUSER userid DFLTGRP(group_name) OMVS(UID(0) HOME('/')) NOPASSWORD
      A user ID with a non-zero UID in the OMVS segment of the user ID profile can also be given superuser authority in just the context of the running UNIX command server job or procedure. To do that, the TRUSTED attribute must be set for the UNIX command server job or started procedure, as follows:
      1. Ensure that the STARTED class is active:
        SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
      2. Define a profile for the UNIX command server job or started procedure, associate a user ID with that job or started procedure, and set the TRUSTED attribute. As an example, for a STARTED class profile, CNMSSUNX.*, which might represent a procedure for starting the UNIX command server, execute a command as follows:
        RDEFINE STARTED CNMSSUNX.* STDATA(USER(userid) TRUSTED(YES))
      3. Refresh the STARTED class information:
        SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
  • Turn on PROGRAM CONTROL to provide security for privileged functions the UNIX command server issues (for example, setuid): 
     SETROPTS WHEN(PROGRAM)
  • Define the following libraries to PROGRAM CONTROL: 
     RALT PROGRAM * ADDMEM('SYS1.LINKLIB'/******/NOPADCHK)
 ACC(READ)
 RALT PROGRAM * ADDMEM('hlq.SCEERUN'/******/NOPADCHK)
 UACC(READ)
 RALT PROGRAM * ADDMEM('hlq.SCNMLNK1'/******/NOPADCHK)
 ACC(READ)
 RALT PROGRAM * ADDMEM('hlq.SCNMLNKN'/******/NOPADCHK)
 ACC(READ)
 RALT PROGRAM * ADDMEM('hlq.SEAGALT'/******/NOPADCHK)
 UACC(READ)
 SETROPTS WHEN(PROGRAM) REFRESH
    Note:
    1. If you are running with the REXX alternate library, the SEAGALT data set must be defined to PROGRAM CONTROL. However, if your installation is using the REXX/370 runtime library, define the SEAGLPA data set. For more information about SEAGALT or SEAGLPA usage, refer to IBM® Tivoli® NetView for z/OS Installation: Getting Started.
    2. If the PROGRAM class * already exists, use the RALT command. If the PROGRAM class * does not exist, use the RDEF command for the first command and use the RALT command for subsequent commands.
    3. Also define to program control any library that provides modules to support any commands that might be run by the UNIX command server. An example is a library that contains a REXX function package module that supports a REXX EXEC that is driven by a command that is sent to UNIX command server for processing.
  • Define each NetView® operator ID that issues (when using an AUTHCHK setting of TARGETID) or originates (when using an AUTHCHK setting of SOURCEID) the PIPE UNIX command to RACF with a valid OMVS segment. The OMVS segment must include a valid HOME directory.

    This includes all operators associated with the AON AUTOOPS TCPOPER statement in FKXCFG01 and the MultiSystem Manager autotask that is associated with the STRTDISC command. For more information about the STRTDISC command and the autotask it runs under, refer to the NetView online help.

    This also includes the primary program operator interface task (PPT) if an AUTHCHK setting of SOURCEID is used and a PIPE UNIX command originates in the PPT (such as when an auxInitCmd statement in the CNMSTYLE member is used).

    It also includes the IDSAUTO2 operator that is used by Intrusion Detection Services (IDS) for capturing syslog probes.