Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
STEPLIBLIST z/OS UNIX System Services Planning GA32-0884-00 |
|
STEPLIBLIST specifies the path name of the file in the file system that contains the list of MVS™ data sets to be used as step libraries for programs that have the set-user-id and set–group-id bit set on. Step libraries have many uses; one is so that selected users can test new versions of run-time libraries before the new versions are made available to everyone on the system. Customers who do not put the Language Environment® library SCEERUN into the linklist should put the SCEERUN data set name in this file. If your installation runs programs that have the setuid or setgid bit turned on, only those load libraries that are found in the STEPLIBLIST sanction list are set up as step libraries in the environment that those programs will run in. Because programs with the setuid or setgid bit turned on are considered privileged programs, they must run in a controlled environment. The STEPLIBLIST sanction list provides this control by allowing those programs to use only the step libraries that are considered trusted by the installation. Tip: The path name of the file should be /etc/steplib.
This naming strategy fits in with the IBM® strategy
to place all customized data in the /etc directory.
If you do not specify a value for STEPLIBLIST, step libraries will not be set up for set-user-ID and set-group-ID executable files. These step libraries are set up as a result of the invocation of an executable file using the exec service (BPX1EXC), the attach_exec service (BPX1ATX) or spawn (BPX1SPN) service. After one of those services has been invoked, the step libraries can be propagated from the calling task's environment. They can also be specified by using the STEPLIB environment variable that is passed to the exec service. When the exec service invokes a set-user-ID or set-group-ID executable file, only those libraries that are found in the sanctioned list are set up as step libraries in the environment that the executable file will run in. If the file does not follow these formatting rules, the sanctioned
list is not built using the file.
You should catalog each data set listed in the file to prevent user versions of the data set from being used. Figure 1 shows a sample sanctioned list file: Figure 1. A sample
sanctioned list file
To create or update the sanctioned list file, use the OSTEPLIB command, which specifies read and execute permissions for all users (permissions 555). Because the sanctioned list file must be protected from update by nonprivileged users, only users with superuser authority should be given update access to it. Updates to the file take effect only when the next setuid(0) program is run from a process with read access to the STEPLIBLIST file because a working copy of the sanctioned list is maintained in storage. Use the SETOMVS or SET OMVS command to dynamically change the value of STEPLIBLIST. However, this action only changes the current settings of the system. To make a permanent change, edit the BPXPRMxx member that will be used for IPLs. |
Copyright IBM Corporation 1990, 2014
|