STEPLIBLIST

STEPLIBLIST specifies the path name of the file in the file system that contains the list of MVS™ data sets to be used as step libraries for programs that have the set-user-id and set–group-id bit set on.

Step libraries have many uses; one is so that selected users can test new versions of run-time libraries before the new versions are made available to everyone on the system. Customers who do not put the Language Environment® library SCEERUN into the linklist should put the SCEERUN data set name in this file.

If your installation runs programs that have the setuid or setgid bit turned on, only those load libraries that are found in the STEPLIBLIST sanction list are set up as step libraries in the environment that those programs will run in. Because programs with the setuid or setgid bit turned on are considered privileged programs, they must run in a controlled environment. The STEPLIBLIST sanction list provides this control by allowing those programs to use only the step libraries that are considered trusted by the installation.

Tip: The path name of the file should be /etc/steplib. This naming strategy fits in with the IBM® strategy to place all customized data in the /etc directory.

If you do not specify a value for STEPLIBLIST, step libraries will not be set up for set-user-ID and set-group-ID executable files.

These step libraries are set up as a result of the invocation of an executable file using the exec service (BPX1EXC), the attach_exec service (BPX1ATX) or spawn (BPX1SPN) service. After one of those services has been invoked, the step libraries can be propagated from the calling task's environment. They can also be specified by using the STEPLIB environment variable that is passed to the exec service. When the exec service invokes a set-user-ID or set-group-ID executable file, only those libraries that are found in the sanctioned list are set up as step libraries in the environment that the executable file will run in.

If the file does not follow these formatting rules, the sanctioned list is not built using the file.

You can include comment lines in the list. Each comment line must start with /* and end with */.
You must follow standard MVS data set naming conventions in naming the files in the list.
Each data set name must be fully qualified and cannot be enclosed in quotation marks.
Each data set name must be on a line by itself, with no comments.
You must use uppercase letters for data set names.
You can put blanks before and after each data set name. Entirely blank lines in the list are ignored.
You can use the * character to specify multiple files that begin with the same characters. For example, if you list SYS1.*, you are sanctioning any file that begins with SYS1. as a step library.

You should catalog each data set listed in the file to prevent user versions of the data set from being used.

Figure 1 shows a sample sanctioned list file:

Figure 1. A sample sanctioned list file

/********************************************************************/
/*                                                                  */
/*   Name: Sample Sanctioned List for set-user-ID and set-group-ID  */
/*         files                                                    */
/*                                                                  */
/*   Updated by:   May only be updated by OSTEPLIB TSO/E command    */
/*                                                                  */
/*   Description:  Contains a list of data set names that may       */
/*                 be used as STEPLIB libraries for SETUID          */
/*                 programs                                         */
/*                                                                  */
/*                 Wild cards may be used to specify multiple       */
/*                 data set names that have the same prefix         */
/*                 characters.                                      */
/*                                                                  */
/********************************************************************/

/********************************************************************/
/* Sanction all data set names beginning with CEE.SCEERUN           */
/********************************************************************/
CEE.SCEERUN*

To create or update the sanctioned list file, use the OSTEPLIB command, which specifies read and execute permissions for all users (permissions 555). Because the sanctioned list file must be protected from update by nonprivileged users, only users with superuser authority should be given update access to it.

Updates to the file take effect only when the next setuid(0) program is run from a process with read access to the STEPLIBLIST file because a working copy of the sanctioned list is maintained in storage.

Use the SETOMVS or SET OMVS command to dynamically change the value of STEPLIBLIST. However, this action only changes the current settings of the system. To make a permanent change, edit the BPXPRMxx member that will be used for IPLs.