Troubleshooting
Problem
When implementing Kerberos, attempts to use FTP to log into the z/OS FTP server result in a failure. An FTP server trace shows the following messages: pass: setreuid() failed - EDC5139I Operation not permitted. (errno2=0B7A0000) pass: Process does not have permission to set the UID
Symptom
During the login process for a Kerberos-enabled FTP server, the login fails. An error reply might be sent back to the client. Turning on an FTP server trace with options FLO, ACC, and SEC, results in the following errors:
- RA1365 pass: setreuid() failed - EDC5139I Operation not permitted. (errno2=0B7A0000)
RA1410 pass: Process does not have permission to set the UID
This problem occurs only when the user logging in to the server does not have a UID (user ID) of zero.
Cause
Only a superuser--or a user with a UID of zero--can use the setreuid() function to change its UID. In the case of a daemon such as FTP, once the user logs in, the FTP server spawns a daemon to handle the new user, and that thread is given the UID of the user who has logged in. Obviously it is not feasible to grant every potential FTP user a UID of zero. The BPX.DAEMON facility was devised to allow non-superusers to have some superuser abilities when logged in through a daemon. By granting FTP read access to this facility, the daemons created when users log on will be able to execute functions (such as setreuid) normally only available to superusers. However, if access to BPX.DAEMON has not been granted, users will encounter the referenced errors.
Resolving The Problem
Permit FTP READ access to BPX.DAEMON in RACF. This can be done using the following RACF command from the TSO READY prompt:
PERMIT BPX.DAEMON CLASS(FACILITY) ID(ftpd_user_ID) ACCESS(READ)
Was this topic helpful?
Document Information
Modified date:
23 June 2018
UID
swg21406405