Determine whether certain files are involved with link-edited programs with AC=1 (Part 1)

Description

Starting with z/OS V2R1, the invocation requirements for MVS load library programs invoked through the z/OS UNIX spawn, exec and attach_exec services have changed. These changes apply to the invocation of MVS programs link-edited AC=1 found in an APF-authorized library and for MVS load library programs that are to run as a z/OS UNIX set-user-id or set-group-id program. The following list describes the changes:
  • If the z/OS UNIX pathname that is supplied to spawn, exec or attach_exec represents an external link that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the external link must have an owning UID of 0 and not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
  • If the z/OS UNIX pathname that is supplied to spawn, exec, or attach_exec represents a regular file with the sticky bit attribute that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the sticky bit file must have an owning UID of 0 or have the APF extended attribute turned on to allow this type of invocation. Additionally, the sticky bit file must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
  • If the z/OS UNIX pathname that supplied to spawn, exec or attach_exec represents a symbolic link to a regular file with the sticky bit attribute and the sticky bit file has the set-user-id attribute, the symbolic link must have an owning UID of 0 or an owning UID equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning UID of 0 or an owning GID equal to that of the sticky bit file. Additionally, the symbolic link must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: z/OS UNIX.
When change was introduced: z/OS V1R13 and z/OS V1R12, both with APAR OA41101.
Applies to migration from: z/OS V1R13 without APAR OA41101 applied.
Timing: Before the first IPL of V2R2.
Is the migration action required? No, but recommended even though most, if not all, IBM and vendor products install their executable files into the z/OS UNIX file system with an owning UID of 0, so few, if any, executable files on your system should have a problem.
Target system hardware requirements: None.
Target system software requirements: See Steps to take before the first IPL.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: None.
Related IBM Health Checker for z/OS check: None.

Steps to take before the first IPL

If you are migrating a z/OS system from z/OS V1R13 with APAR OA41101 installed, then no migration actions need to be taken. In this case, it is assumed that you have taken all required actions related to this APAR. Also see the documentation APAR OA41490.

If you are migrating from a z/OS system that does not have OA41101 installed and use the following IBM products, then you should ensure that you have the latest service levels and have followed the most recent install documentation for these IBM products:
  • IBM z/OS Problem Determination Tools File Manager Software V10 (see Doc APAR PM81080)
  • IBM z/OS Problem Determination Tools File Manager Software V11.1.0 with upgrade subset HADLB10 (ensure that PTF UK91613 is installed)
  • IBM z/OS Problem Determination Tools Common Component Software V1.6.0 with upgrade subset HVWR160 (ensure that PTF UK91612 is installed)
  • IBM InfoSphere Data Replication (see Doc APAR PM81306)
  • IBM Security zSecure Suite (See Technote 1625364)
  • IBM Tivoli Security Information and Event Manager (see Technote 1626384)

You may have to change the installation of some z/OS UNIX files and links provided by these products.

Otherwise, if you follow the standard install process for z/OS UNIX software, then you should not need to make any further changes related to APAR OA41101. Exceptions to this would be:
  • If you installed z/OS UNIX sticky bit files, symbolic links or external links for any of your own software without using SMP/E
  • If you installed any IBM or other vendor provided z/OS UNIX sticky bit files, symbolic links or external links outside the normal SMP/E install process
  • If you installed z/OS UNIX software using SMP/E from a user that is not running with UID 0 and is not permitted to BPX.SUPERUSER

If any of these exceptions exist on your system, then you might have to change the installation of these files and links. To identify all the sticky bit files, symbolic links and external links that need to change, you need to IPL with z/OS V2R2 installed. If any of these files or links are executed, you will then start seeing EC6-xxxxC04A abends along with message BPXP028I in the system log, which identifies the files or links that must be changed. You can then use the documentation for message BPXP028I to correct the files or links that are installed improperly.

For more information about message BPXP028I, see z/OS MVS System Messages, Vol 3 (ASB-BPX).

Steps to take after the first IPL

For steps to take after the first IPL, see Determine whether certain files are involved with link-edited programs with AC=1 (Part 2).

Reference information

For more information, see z/OS UNIX System Services Command Reference.

Parent topic: z/OS UNIX actions to perform before the first IPL of z/OS V2R2