IBM Support

OA41490: EXEC() SPAWN() MVS PROGRAM

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • Documentation when execing/spawning an MVS program
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of z/OS UNIX Services on HBB7770   *
    *                 and HBB7780.                                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The documentation changes described in this APAR are
    related to the changes for APAR OA41101.
    

Problem conclusion

  • z/OS MVS System Codes (SA22-7626-xx)
    
    New EC6 Abend Reason Code:
    
    Code Explanation:
    C04A
        Exec or Spawn processing failed because the target MVS load
        library program cannot be invoked in the manner attempted.
    
    Code Response:
    
    C04A   The failure was as a result of an attempted invocation of
    a MVS load library program.   The z/OS UNIX sticky bit file or
    link that resolved to the MVS program does not have the proper
    attributes to allow this type of invocation.  General purpose
    register 4 at the time of this abend contains the name of the
    MVS program that could not be invoked.   Message BPXP028I
    accompanies this abend.   See z/OS MVS System Messages Vol 3
    (ASB-BPX) for the details regarding this error.
    
    
    z/OS MVS System Messages Vol. 3 (ASB-BPX) (SA22-7633-xx)
    
    New BPXP028I message:
    
    BPXP028I  SPAWN or EXEC ERROR FOR FILE PATH pathname DEVICE ID
    devid INODE inodeno.  THE ASSOCIATED MVS MEMBER NAME IS
    membername.
    
    Explanation: This message is issued when the invocation of a MVS
    load library resident program is attempted in a manner that is
    not permitted.   This error is caused by a call to the z/OS UNIX
    spawn, exec or attach_exec callable service against a z/OS UNIX
    file or link that does not have the required attributes to allow
    this type of invocation.   The following are the possible z/OS
    UNIX files or links that can cause this error:
    
    o The z/OS UNIX pathname supplied to spawn,  exec or attach_exec
      represents an external link that resolves to the named MVS
      program found in an APF-authorized library and linkedited with
      the AC=1 attribute.   The external link must have a owning UID
      of 0  and not be found in a file system mounted as NOSECURITY
      to allow this type of invocation.    You can use the z/OS UNIX
      chown command to change the file owning UID to 0 for a z/OS
      UNIX file or link.   See z/OS UNIX System Services Commands
      for documentation regarding the use of the chown command.
    
    o The z/OS UNIX pathname supplied to spawn, exec, or attach_exec
      represents a regular file with the sticky bit attribute that
      resolves to the named MVS program found in an APF-authorized
      library and linkedited with the AC=1 attribute.   A sticky bit
      file must have an owning UID of 0 or have the APF extended
      attribute turned on to allow this type of invocation.   The
      APF extended attribute is not honored for a file system
      mounted as NOSECURITY or NOSETUID.   A user must have READ
      permission to the BPX.FILEATTR.APF RACF Facility Class Profile
      to update the APF extended attribute of a file.    See z/OS
      UNIX System Services Planning for documentation regarding this
      profile and setting the APF attribute.
    
    o The z/OS UNIX pathname supplied to spawn,  exec or
      attach_exec represents a symbolic link to a regular file with
      the sticky bit attribute.  The named MVS program is derived
      from the symbolic link file name.      If the sticky bit file
      has the set-user-id attribute, the symbolic link must have an
      owning uid of 0 or an owning uid equal to that of the sticky
      bit file.   If the sticky bit file has the set-group-id
      attribute, the symbolic link must have an owning uid of 0 or
      an owning gid equal to that of the sticky bit file.  If the
      named MVS program is found in an APF-authorized library and is
      linkedited with the AC=1 attribute, the symbolic link must
      have a owning UID of 0 irregardless of the other attributes of
      the sticky bit file.     In all of these cases, the symbolic
      link must not be found in a file system mounted as NOSECURITY
      to allow this type of invocation.    It is possible that
      either the symbolic link itself or the sticky bit file it
      represents are the cause of the problem.  If the symbolic link
      has the proper attributes, then the sticky bit file it points
      to must be checked to ensure it has the proper attributes as
      described previously.
    
    
    In the message text:
    
    pathname
    
     The path name in the z/OS UNIX file system that was supplied to
    the spawn, exec or attach_exec callable service involved in the
    error.   The path name displayed in this message is limited to
    64 characters.  Note that this path name might not be a fully
    qualified path name and may be truncated on the left, or it may
    represent a symbolic link that resolves to the sticky bit file
    in error.   The inode number and device ID should be used to
    uniquely identify the fully qualified path name for the file or
    link that is the cause of the error.   Once the fully qualified
    path name is determined, its file attributes can be viewed using
    the z/OS UNIX shell ls command to determine whether it
    represents a sticky bit file, a symbolic link or an external
    link.  The following is a ls command example against a file with
    a fully qualified path name of /u/bin/testpgm that shows the
    file's attributes:
    
           ls -El /u/bin/testpgm
    
     devid
    
              The device ID (st_dev) of file system containing the
    file or link.   Use the D OMVS,F console command or the z/OS
    UNIX shell df -v command  to determine the path associated with
    the device ID.    A determination should also be made as to
    whether the file system is mounted as NOSETUID or NOSECURITY,
    since this can be the cause of the error.   The z/OS UNIX shell
    df command can be used to view the attributes of a file system.
    The following is a df command example against a file system with
    a path name of /u/bin/:
    
           df -v /u/bin/
    
      inodeno
    
    The inode number (st_ino) of file.    The z/OS UNIX shell find
    command can be used to determine the fully qualified path name
    by supplying to the find command the path name associated with
    the device ID to start the search from along with the inode
    number.    The following is a find command example where the
    path name associated with the device ID resolved to /u/bin/ and
    the inode number value is 1250:
    
    find /u/bin/ -xdev -inum 1250
    
    membername
    
     The member name of the associated MVS program that was the
    target of the failing spawn, exec or attach_exec callable
    service.
    
    System Action: There will be an associated abend code EC6 reason
    code xxxxC04A with this error.
    
    Operator Response: Contact the system programmer.
    
    System Programmer Response:    If the identified MVS program is
    part of an IBM or another vendor's product, contact IBM or the
    other vendor that owns this program.  Otherwise,  if the
    identified MVS program is one of your installation specific
    programs then you must determine if it is appropriate for the
    MVS program to be invoked from a z/OS UNIX environment.   The
    various z/OS UNIX environments can include, but are not limited
    to, invocation from the z/OS UNIX Shell, BPXBATCH, the z/OS UNIX
    System Services ISPF Shell a REXX exec using Address Syscall, or
    a program using the z/OS UNIX exec, spawn or attach_exec
    services.  If this type of invocation is appropriate for the
    identified program, then you must change the attributes of the
    file or link as indicated in the explanation of the error.
    
    Source: z/OS UNIX System Services kernel (BPX)
    
    Detecting Module: BPXPRECP
    
    Routing Code:  11 (and hardcopy log)
    
    Descriptor Code: 6
    
    
    z/OS UNIX System Services Planning (GA22-7800-xx)
    
    The following new section is to be added:
    
    4.23.8 Creating a sticky bit file or external link for a MVS APF
    Authorized Program
    
        If there is a need from a z/OS UNIX environment to invoke a
    MVS Program linkedited AC=1 located in an APF-authorized
    library, a sticky bit file or external link can be set up to
    point to this program.   You need to ensure that the sticky bit
    file is installed with an owning UID of 0 or with the APF
    extended attribute, or that the external link is installed with
    an owning UID of 0.   Because a file system mounted as
    NOSECURITY is considered untrusted, any file or link installed
    in a file system mounted as NOSECURITY is not considered trusted
    for this type of invocation.   Also, a file with the APF
    extended attribute is not honored if found in a file system
    mounted as NOSETUID.   Failure to follow this set up will cause
    the execution of the program to fail when invoked via the z/OS
    UNIX spawn, exec or attach_exec callable service.
    
    
    z/OS UNIX System Services Programming:  Assembler Callable
    Services Reference (SA22-7803-xx)
    
    Usage note 9 for the attach_exec (BPX1ATX and BPX4ATX) callable
    service should be changed to read as follows:
    
         If the specified file name resolves to an external link or
    a sticky bit file, the program is loaded from the caller's MVS
    load library search order.  For an external link, the external
    name is used only if the name is eight characters or less;
    otherwise the caller receives an error from the attach_exec
    service.   For a sticky bit program, the specified file name is
    used if it is eight characters or less.   Otherwise, the program
    is loaded from the z/OS UNIX file system.   If the attach_exec
    caller is running APF authorized and the specified sticky bit
    file or link resolves to a MVS program linkedited AC=1 located
    in an APF-authorized library, the attributes of the sticky bit
    file or external link must be set up properly to allow this type
    of invocation.   For a sticky bit file, it must be installed
    with an owning UID of 0 or with the APF extended attribute.  The
    owning UID of 0 requirement would also apply to a symbolic link
    that resolves to the sticky bit file.    For an external link,
    it must be installed with a owning UID of 0.   Also, a file with
    the APF extended attribute is not allowed if found in a file
    system mounted as NOSETUID.
         If the specified file name represents a symbolic link to a
    sticky bit file that has the set-user-id attribute, the symbolic
    link must have an owning uid of 0 or an owning uid equal to that
    of the sticky bit file.   If the sticky bit file has the
    set-group-id attribute, the symbolic link must have an owning
    uid of 0 or an owning gid equal to that of the sticky bit file.
         A file or link found in a file system mounted as NOSECURITY
    is not considered trusted for this type of invocation,
    regardless of its attributes.
         Failure to follow this set up will cause the task attached
    to run the MVS program to end abnormally with a EC6-xxxxC04A
    abend when the MVS program is invoked via the attach_exec
    service.
    
    
    The following should be added to usage note 14 for the exec
    (BPX1EXC and BPX4EXC) callable service:
    
        If the the specified file or link resolves to a MVS program
    linkedited AC=1 located in an APF-authorized library, the
    attributes of the sticky bit file or external link must be set
    up properly to allow this type of invocation.   For a sticky bit
    file, it must be installed with an owning UID of 0 or with the
    APF extended attribute.   The owning UID of 0 requirement would
    also apply to a symbolic link that resolves to the sticky bit
    file.   For an external link, it must be installed with a owning
    UID of 0.    Also, a file with the APF extended attribute is not
    allowed if found in a file system mounted as NOSETUID.
          If the specified file name represents a symbolic link to a
    sticky bit file that has the set-user-id attribute, the symbolic
    link must have an owning uid of 0 or an owning uid equal to that
    of the sticky bit file.   If the sticky bit file has the
    set-group-id attribute, the symbolic link must have an owning
    uid of 0 or an owning gid equal to that of the sticky bit file.
         A file or link found in a file system mounted as NOSECURITY
    is not considered trusted for this type of invocation,
    regardless of its attributes.
         Failure to follow this set up will cause the executing job
    to end abnormally with a EC6-xxxxC04A abend when invoking the
    MVS program via the exec service.
    
    
    The following usage note should be added for the spawn (BPX1SPN
    and BPX4SPN) callable service:
    
      If the specified file name resolves to an external link or a
    sticky bit file, the program is loaded from the caller's MVS
    load library search order.  For an external link, the external
    name is used only if the name is eight characters or less;
    otherwise the caller receives an error from the spawn service.
    For a sticky bit program, the file name is used if it is eight
    characters or less. Otherwise, the program is loaded from the
    z/OS UNIX file system.   If the specified sticky bit file or
    link resolves to a MVS program linkedited AC=1 located in an
    APF-authorized library,  the attributes of the sticky bit file
    or external link must be set up properly to allow this type of
    invocation.   For a sticky bit file, it must be installed with
    an owning UID of 0 or with the APF extended attribute.  The
    owning UID of 0 requirement would also apply to a symbolic link
    that resolves to the sticky bit file.  For an external link, it
    must be installed with a owning UID of 0.   A sticky bit a file
    with the APF extended attribute is not allowed if found in a
    file system mounted as NOSETUID.
       If the specified file name represents a symbolic link to a
    sticky bit file that has the set-user-id attribute, the symbolic
    link must have an owning uid of 0 or an owning uid equal to that
    of the sticky bit file.   If the sticky bit file has the
    set-group-id attribute, the symbolic link must have an owning
    uid of 0 or an owning gid equal to that of the sticky bit file.
       A file or link found in a file system mounted as NOSECURITY
    is not considered trusted for this type of invocation,
    regardless of its attributes.
       Failure to follow this set up will cause the child process
    created to run the MVS program to end abnormally with a
    EC6-xxxxC04A abend when the MVS program is invoked via the spawn
    service.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA41490

  • Reported component name

    OPENMVS SYS SRV

  • Reported component ID

    5695SCPX1

  • Reported release

    780

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-02-19

  • Closed date

    2013-03-04

  • Last modified date

    2013-03-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SA22762622SA22763319GA22780018SA22780313 

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
04 March 2013