Determine whether certain files are involved with link-edited programs with AC=1 (Part 2)
Description
- If the z/OS UNIX pathname that is supplied to spawn, exec or attach_exec represents an external link that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the external link must have an owning UID of 0 and not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
- If the z/OS UNIX pathname that is supplied to spawn, exec, or attach_exec represents a regular file with the sticky bit attribute that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the sticky bit file must have an owning UID of 0 or have the APF extended attribute turned on to allow this type of invocation. Additionally, the sticky bit file must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
- If the z/OS UNIX pathname that supplied to spawn, exec or attach_exec represents a symbolic link to a regular file with the sticky bit attribute and the sticky bit file has the set-user-id attribute, the symbolic link must have an owning UID of 0 or an owning UID equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning UID of 0 or an owning GID equal to that of the sticky bit file. Additionally, the symbolic link must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | z/OS UNIX. |
---|---|
When change was introduced: | z/OS V1R13 and z/OS V1R12, both with APAR OA41101. |
Applies to migration from: | z/OS V1R13 without APAR OA41101 applied. |
Timing: | After the first IPL of z/OS V2R2. (For steps to take before the first IPL, see Determine whether certain files are involved with link-edited programs with AC=1 (Part 1)). |
Is the migration action required? | No, but recommended even though most, if not all, IBM and vendor products install their executable files into the z/OS UNIX file system with an owning UID of 0, so few, if any, executable files on your system should have a problem. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM Health Checker for z/OS check: | None. |
Steps to take after the first IPL
If you see EC6-xxxxC04A abends occurring, look for message BPXP028I in the system log to determine the details of the z/OS UNIX files or links and MVS programs involved with the errors and how to correct the problem. This abend is indicative of an attempt to execute an improperly installed z/OS UNIX sticky bit file, symbolic link or external link that resolves to a MVS program.
For more information about message BPXP028I, see z/OS MVS System Messages, Vol 3 (ASB-BPX).
For the steps to take before the first IPL, see Determine whether certain files are involved with link-edited programs with AC=1 (Part 1).
Reference information
For more information, see z/OS UNIX System Services Command Reference.