PQ92115: RSH CLIENT FAILS WHEN RESTRICTLOWPORTS IS CODED IN TCPCONFIG

APAR status

• Closed as fixed if next.

Error description

• The RSH client will not be able to bind to the low ports when
  RESTRICTLOWPORTS is coded in TCPCONFIG.  It will fail with
  message:
  EZA5051E  The call to rcmd_af procedure failed:
  EZA4994I  Foreign host aborted the connection.
  In previous releases, RSH was APF authorized.  So, it had access
  to bind to the ports even when RESTRICTLOWRPORTS was coded.
  But, on 1.5, RSH is not APF authorized.  So, it is not able to
  bind to these ports.
  .
  KEYWORDS: RSH ORSH EZARSH EZAORSHC
  .
  VERIFICATION STEPS:
  RSH will work for superusers, but not for ordinary users.
  

Local fix

• Code UNRESTRICTLOWPORTS in TCPCONFIG.  Or, run a run a linkedit
  job outside of SMP/E that would mark this as APF authorized with
  AC=1.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the Communications Server for   *
  *                 z/OS Version 1 Release 5 & 6 IP: RSH         *
  ****************************************************************
  * PROBLEM DESCRIPTION: RSH client issues msgEZA5051E and fails *
  *                      without executing the remote command.   *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The RSH client issues a bind() to a port number below 1024.  The
  bind() request may fail if RESTRICTLOWPORTS is coded on the
  TCPCONFIG or ASSORTEDPARMS statement.  The RSH client program is
  linked AC(0) causing it to be unauthorized.  The TCPIP stack
  will fail a bind() request for a low port unless the program is
  APF authorized or the invoking userid has UID(0) in the OMVS
  segment.
  Specifying the -d debug option will generate the following error
  messages indicating the bind() has failed.
  
  EZYRC33E  The call to rcmd_af procedure failed:
      EDC5111I Permission denied. rsn = 744C7246
  
  +-------------------------------------------------------------+
  + Please check our Communications Server for OS/390 homepages +
  + for common networking tips and fixes.  The URL for these    +
  + homepages can be found in Informational APAR II11334.       +
  +-------------------------------------------------------------+
  

Problem conclusion

Temporary fix

Comments

• This APAR is being closed FIN (Fixed If Next) with concurrence
  from the submitting customer. This means that a fix to this
  APAR is expected to be delivered from IBM in a release (if any)
  to be available within the next 24 months.
  
  This problem will be tracked as PTR MV30840 by Communications
  Server for z/OS Development.
  
  PTR30840   PTR 30840
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels