You can switch in and out of superuser authority. This discussion
assumes that the installation has not assigned UID(0) to its superusers.
Instead, each user has a unique UID and has been permitted to the
BPX.SUPERUSER resource in the FACILITY class.
You can use any of the following methods to gain superuser authority:
- Enter the shell using the OMVS command and then issue the su command
with no operands. This creates a nested shell that runs with superuser
authority.
Programs that change the security environment
cannot run in a multiprocess address space.
Tip: When
running in this manner, editing a file with the OEDIT command (OEDIT
with PF6) returns you to the TSO/E address space where your original
authority is still in place.
- Enter the ISPF shell using the ISHELL command or a dialog selection.
From the ISPF shell, you can select the option to switch to superuser
state. You can then manage the file system using ISPF shell functions
while in the superuser state.
If you enter the ISPF shell, switch
to superuser and then exit the ISPF shell, you might lose superuser
authority. If the ISPF shell is the only process in the address space,
you will lose all connection to kernel services when the ISPF shell
terminates. If there is another dubbed process in this address space
(for example, another ISPF shell, or a local shell), it will share
the UID with the ISPF shell process. For example, you can open an
ISPF shell on both sides of a split screen. When you toggle to superuser
in one ISPF shell, it affects the address space and therefore, both
ISPF shells are now superuser. Regardless of which ISPF shell terminates
first, the address space retains its UIDs until the ISPF shell is
used to toggle back, or the last process is undubbed.
- Enter the shell using rlogin or telnet. Once in the shell, enter
the su command to create a nested shell that runs
with superuser authority.
- After gaining superuser authority in the ISPF shell, you can split
the screen in ISPF and enter the OMVS command. The shell that is
started inherits the superuser authority set up in the ISPF shell.
For privileged shells (when the effective UID does not match the real
UID, or the effective GID does not match the real GID) $HOME/.profile is
not run. If the file /etc/suid_profile exists, it will be run.
- If you are permitted to the BPX.SUPERUSER resource, then you can
get superuser access through REXX.
- Use the su command from BPXBATCH. Run a job
using BPXBATCH following one of these examples that shows a copy of
the file:
- On the PARM= statement, include:
SH echo cp /etc/profile /etc/junk | su
This
pipes the result of the echo command (that is, the copy command)
into the su command.
- With PARM='SH su', code:
//STDIN DD PATH '/yourpath/input.stuff',PATHOPTS=(ORDONLY)
- With no parameters coded at all, create a file that has the su command
in it.
//BATBPX1 EXEC PGM=BPXBATCH
//STDIN DD PATH='/yourpath/suinput.stuff',PATHOPTS=(ORDONLY)
In
the suinput.stuff section, you would have the su command
followed by the copy command. These are commands as you
would have entered them from the console if you had been running in
the z/OS UNIX shell.
Also, when you set up your own $HOME/.profile as superuser,
specify the /usr/sbin directory in your PATH environment variable
because certain superuser utilities are in that directory instead
of the /bin directory, such as automount. For more information
about the profile, see Customizing $HOME/.profile.