IBM Support

IO19616: GIMUNZIP SETS UID(0) TOO LATE WHEN USER HAS READ ACCESS TO BPX.SUPERUSER

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • GIMUNZIP and GIMZIP intend to set both the effective UID and the
real UID values to zero if the user has read access to
BPX.SUPERUSER, before attempting to update any files in the UNIX
file system.  However before that happens, they attempt a MKDIR
to create the work directory in SMPWKDIR.  If the user does not
already have access to the SMPWKDIR based on permission bits,
the MKDIR fails and we never get as far as setting the UID to
zero.

If the SMPWKDIR DD statement is not coded in the JCL, then
GIMUNZIP and GIMZIP use the directory specified on the SMPDIR DD
statement instead of the SMPWKDIR DD.  They attempt to do the
MKDIR on SMPDIR at the same point in the code, before the UID
values are set to zero if BPX.SUPERUSER permits.  So the same
MKDIR failure occurs on the SMPDIR DD, if the SMPWKDIR DD is not
coded and the user does not already have access to the SMPDIR
based on permission bits.

If using RACF, the security violation on the MKDIR looks like
this:
ICH408I USER(userid ) GROUP(group) NAME(#################)
  /u/smpwkdir/smpeyyyydddhhmmssnnnnnn/
  CL(DIRACC  ) FID(E9E2E2D4E2F500F80000000000010001)
  INSUFFICIENT AUTHORITY TO MKDIR
  ACCESS INTENT(-W-)  ACCESS ALLOWED(OTHER      R-X)
  EFFECTIVE UID(non-zero)  EFFECTIVE GID(non-zero)

SMP/E also writes the messages:
GIM43501S ** THE CALL TO THE BPX1MKD SERVICE FAILED WHEN
             PROCESSING /u/smpwkdir/smpeyyyydddhhmmssnnnnnn/.
             THE RETURN CODE WAS '0000006F'X AND THE REASON
             CODE WAS 'EF086015'X.
GIM52200I    AN ERROR OCCURRED WHILE SMP/E WAS CREATING
             /u/smpwkdir/smpeyyyydddhhmmssnnnnnn/.
GIM20501I    GIMUNZIP PROCESSING IS COMPLETE. THE HIGHEST RETURN
             CODE WAS 12.

Additional Keywords:
msgICH408I msgGIM43501S msgGIM52200I

Local fix

  • Modify the permission bits on the SMPWKDIR or SMPDIR directory,
to allow the MKDIR to succeed.

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of the GIMZIP and GIMUNZIP         *
*                 services with insufficient permission to     *
*                 access the SMPDIR or SMPWKDIR directory      *
****************************************************************
* PROBLEM DESCRIPTION: MSGGIM43501S when creating the SMPWKDIR *
*                      directory during SMP/E GIMZIP and       *
*                      GIMUNZIP processing.                    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Both GIMZIP and GIMUNZIP require a work directory into which
elements may be staged during processing.  This directory is
created in the SMPWKDIR DD if one is specified.  If a SMPWKDIR
DD is not specified, the work directory is created in the SMPDIR
DD.

GIMZIP and GIMUNZIP intend to set both the effective UID and the
real UID values to zero if the user has read access to
BPX.SUPERUSER, before attempting to update any files in the UNIX
file system (including the creation of the working directory).
However, both GIMZIP and GIMUNZIP attempt to create the work
directory before changing the UIDs.

Problem conclusion

  • Modules GIMZPDRV, GIMZPPRC and GIMUZPRC have been modified at
the SMP/E 3.5 and SMP/E 3.6 levels to set effective UID and real
UID values to zero prior to creating the work directory.
H00Y
J00Y
GIMJVLVL
GIMLEVEL
GIMUZPRC
GIMZPDRV
GIMZPPRC

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IO19616
    • 

  • Reported component name
    SMP/E
    • 

  • Reported component ID
    566894901
    • 

  • Reported release
    H00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-09-05
    • 

  • Closed date
    2013-09-18
    • 

  • Last modified date
    2013-11-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UO01618 UO01619
    

    • 



Modules/Macros


    

  • GIMJVLVL GIMLEVEL GIMUZPRC GIMZPDRV GIMZPPRC

    



Fix information


    

  • Fixed component name
    SMP/E
    • 

  • Fixed component ID
    566894901
    • 



Applicable component levels


    

  • RH00  PSY  UO01618
       UP13/09/23  P  F309
    • 

  • RJ00  PSY  UO01619
       UP13/09/23  P  F309
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"H00","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"H00","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            26 November 2013
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback