Switching in and out of superuser authority
You can switch in and out of superuser authority. This discussion assumes that the installation has not assigned UID(0) to its superusers. Instead, each user has a unique UID and has been permitted to the BPX.SUPERUSER resource in the FACILITY class.
- Enter the shell using the OMVS command and then issue the su command
with no operands. This creates a nested shell that runs with superuser
authority.
Programs that change the security environment cannot run in a multiprocess address space.
Tip: When running in this manner, editing a file with the OEDIT command (OEDIT with PF6) returns you to the TSO/E address space where your original authority is still in place.
- Enter the ISPF shell using the ISHELL command or a dialog selection.
From the ISPF shell, you can select the option to switch to superuser
state. You can then manage the file system using ISPF shell functions
while in the superuser state.
If you enter the ISPF shell, switch to superuser and then exit the ISPF shell, you might lose superuser authority. If the ISPF shell is the only process in the address space, you will lose all connection to kernel services when the ISPF shell terminates. If there is another dubbed process in this address space (for example, another ISPF shell, or a local shell), it will share the UID with the ISPF shell process. For example, you can open an ISPF shell on both sides of a split screen. When you toggle to superuser in one ISPF shell, it affects the address space and therefore, both ISPF shells are now superuser. Regardless of which ISPF shell terminates first, the address space retains its UIDs until the ISPF shell is used to toggle back, or the last process is undubbed.
- Enter the shell using rlogin or telnet. Once in the shell, enter the su command to create a nested shell that runs with superuser authority.
- After gaining superuser authority in the ISPF shell, you can split the screen in ISPF and enter the OMVS command. The shell that is started inherits the superuser authority set up in the ISPF shell. For privileged shells (when the effective UID does not match the real UID, or the effective GID does not match the real GID) $HOME/.profile is not run. If the file /etc/suid_profile exists, it will be run.
- If you are permitted to the BPX.SUPERUSER resource, then you can get superuser access through REXX.
- Use the su command from BPXBATCH. Run a job
using BPXBATCH following one of these examples that shows a copy of
the file:
- On the PARM= statement, include:
This pipes the result of the echo command (that is, the copy command) into the su command.SH echo cp /etc/profile /etc/junk | su
- With PARM='SH su', code:
//STDIN DD PATH '/yourpath/input.stuff',PATHOPTS=(ORDONLY)
- With no parameters coded at all, create a file that has the su command
in it.
In the suinput.stuff section, you would have the su command followed by the copy command. These are commands as you would have entered them from the console if you had been running in the z/OS UNIX shell.//BATBPX1 EXEC PGM=BPXBATCH //STDIN DD PATH='/yourpath/suinput.stuff',PATHOPTS=(ORDONLY)
- On the PARM= statement, include:
Also, when you set up your own $HOME/.profile as superuser, specify the /usr/sbin directory in your PATH environment variable because certain superuser utilities are in that directory instead of the /bin directory, such as automount. For more information about the profile, see Customizing $HOME/.profile.