Explanation
This message is issued when the invocation of
an MVS™ load library resident
program is attempted in a manner that is not permitted. This error
is caused by a call to the z/OS® UNIX spawn, exec or attach_exec
callable service against a z/OS UNIX file or link that does not
have the required attributes to allow this type of invocation. The
following are the possible z/OS UNIX files or links that can cause
this error:
- The z/OS UNIX path name supplied to spawn, exec or attach_exec
represents an external link that resolves to the named MVS program found in an APF-authorized library
and link-edited with the AC=1 attribute. The external link must
have a owning UID of 0 and not be found in a file system mounted
as NOSECURITY to allow this type of invocation. You can use the z/OS UNIX chown command
to change the file owning UID to 0 for a z/OS UNIX file
or link. See z/OS UNIX System Services Command Reference for
documentation regarding the use of the chown command.
- The z/OS UNIX pathname supplied to spawn, exec, or attach_exec
represents a regular file with the sticky bit attribute that resolves
to the named MVS program found
in an APF-authorized library and link-edited with the AC=1 attribute.
A sticky bit file must have an owning UID of 0 or have the APF extended
attribute turned on to allow this type of invocation. The APF extended
attribute is not honored for a file system mounted as NOSECURITY or
NOSETUID. A user must have READ permission to the BPX.FILEATTR.APF RACF® Facility Class Profile to
update the APF extended attribute of a file. See z/OS UNIX System Services Planning for
documentation regarding this profile and setting the APF attribute.
- The z/OS UNIX pathname supplied to spawn, exec or attach_exec
represents a symbolic link to a regular file with the sticky bit attribute.
The named MVS program is derived
from the symbolic link file name. If the sticky bit file has the
set-user-id attribute, the symbolic link must have an owning uid of
0 or an owning uid equal to that of the sticky bit file. If the
sticky bit file has the set-group-id attribute, the symbolic link
must have an owning uid of 0 or an owning gid equal to that of the
sticky bit file. If the named MVS program
is found in an APF-authorized library and is link-edited with the
AC=1 attribute, the symbolic link must have a owning UID of 0 regardless
of the other attributes of the sticky bit file. In all of these
cases, the symbolic link must not be found in a file system mounted
as NOSECURITY to allow this type of invocation. It is possible
that either the symbolic link itself or the sticky bit file it represents
are the cause of the problem. If the symbolic link has the proper
attributes, then the sticky bit file it points to must be checked
to ensure it has the proper attributes as described previously.
In the message text:
- pathname
- The path name in the z/OS UNIX file system that was supplied
to the spawn, exec or attach_exec callable service involved in the
error. The path name displayed in this message is limited to 64
characters. Note that this path name might not be a fully qualified
path name and may be truncated on the left, or it may represent a
symbolic link that resolves to the sticky bit file in error. The
inode number and device ID should be used to uniquely identify the
fully qualified path name for the file or link that is the cause of
the error. Once the fully qualified path name is determined, its
file attributes can be viewed using the z/OS UNIX shell ls command
to determine whether it represents a sticky bit file, a symbolic link
or an external link. The following is a ls command example against
a file with a fully qualified path name of /u/bin/testpgm that shows
the file's attributes:
ls -El /u/bin/testpgm
- devid
- The device ID (st_dev) of file system containing the file or link.
Use the D OMVS,F console command or the z/OS UNIX shell
df -v command to determine the path associated with the device ID.
A determination should also be made as to whether the file system
is mounted as NOSETUID or NOSECURITY, since this can be the cause
of the error. The z/OS UNIX shell df command
can be used to view the attributes of a file system. The following
is a df command example against a file system with a path name of
/u/bin/:
df -v /u/bin/
- inodeno
- The inode number (st_ino) of file. The z/OS UNIX shell
find command can be used to determine the fully qualified path name
by supplying to the find command the path name associated with the
device ID to start the search from along with the inode number.
The following is a find command example where the path name associated
with the device ID resolved to /u/bin/ and the inode number value
is 1250:
find /u/bin/ -xdev -inum 1250
- membername
- The member name of the associated MVS program
that was the target of the failing spawn, exec or attach_exec callable
service.
System action
There will be an associated abend code EC6 reason
code xxxxC04A with this error
Operator response
Contact the system programmer.
System programmer response
If the identified MVS program is part of an IBM® or another vendor's product, contact IBM or the other vendor that owns
this program. Otherwise, if the identified MVS program is one of your installation specific
programs then you must determine if it is appropriate for the MVS program to be invoked from a z/OS UNIX environment.
The various z/OS UNIX environments can include, but are not limited
to, invocation from the z/OS UNIX shell, BPXBATCH, the z/OS UNIX System
Services ISPF shell, a REXX exec using Address Syscall, or a program
using the z/OS UNIX exec, spawn or attach_exec services. If
this type of invocation is appropriate for the identified program,
then you must change the attributes of the file or link as indicated
in the explanation of the error.
Module
Source
z/OS UNIX System Services Kernel
Routing Code
11 (and hardcopy log)