APAR status
Closed as documentation error.
Error description
Documentation when execing/spawning an MVS program
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of z/OS UNIX Services on HBB7770 * * and HBB7780. * **************************************************************** * RECOMMENDATION: * **************************************************************** The documentation changes described in this APAR are related to the changes for APAR OA41101.
Problem conclusion
z/OS MVS System Codes (SA22-7626-xx) New EC6 Abend Reason Code: Code Explanation: C04A Exec or Spawn processing failed because the target MVS load library program cannot be invoked in the manner attempted. Code Response: C04A The failure was as a result of an attempted invocation of a MVS load library program. The z/OS UNIX sticky bit file or link that resolved to the MVS program does not have the proper attributes to allow this type of invocation. General purpose register 4 at the time of this abend contains the name of the MVS program that could not be invoked. Message BPXP028I accompanies this abend. See z/OS MVS System Messages Vol 3 (ASB-BPX) for the details regarding this error. z/OS MVS System Messages Vol. 3 (ASB-BPX) (SA22-7633-xx) New BPXP028I message: BPXP028I SPAWN or EXEC ERROR FOR FILE PATH pathname DEVICE ID devid INODE inodeno. THE ASSOCIATED MVS MEMBER NAME IS membername. Explanation: This message is issued when the invocation of a MVS load library resident program is attempted in a manner that is not permitted. This error is caused by a call to the z/OS UNIX spawn, exec or attach_exec callable service against a z/OS UNIX file or link that does not have the required attributes to allow this type of invocation. The following are the possible z/OS UNIX files or links that can cause this error: o The z/OS UNIX pathname supplied to spawn, exec or attach_exec represents an external link that resolves to the named MVS program found in an APF-authorized library and linkedited with the AC=1 attribute. The external link must have a owning UID of 0 and not be found in a file system mounted as NOSECURITY to allow this type of invocation. You can use the z/OS UNIX chown command to change the file owning UID to 0 for a z/OS UNIX file or link. See z/OS UNIX System Services Commands for documentation regarding the use of the chown command. o The z/OS UNIX pathname supplied to spawn, exec, or attach_exec represents a regular file with the sticky bit attribute that resolves to the named MVS program found in an APF-authorized library and linkedited with the AC=1 attribute. A sticky bit file must have an owning UID of 0 or have the APF extended attribute turned on to allow this type of invocation. The APF extended attribute is not honored for a file system mounted as NOSECURITY or NOSETUID. A user must have READ permission to the BPX.FILEATTR.APF RACF Facility Class Profile to update the APF extended attribute of a file. See z/OS UNIX System Services Planning for documentation regarding this profile and setting the APF attribute. o The z/OS UNIX pathname supplied to spawn, exec or attach_exec represents a symbolic link to a regular file with the sticky bit attribute. The named MVS program is derived from the symbolic link file name. If the sticky bit file has the set-user-id attribute, the symbolic link must have an owning uid of 0 or an owning uid equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning uid of 0 or an owning gid equal to that of the sticky bit file. If the named MVS program is found in an APF-authorized library and is linkedited with the AC=1 attribute, the symbolic link must have a owning UID of 0 irregardless of the other attributes of the sticky bit file. In all of these cases, the symbolic link must not be found in a file system mounted as NOSECURITY to allow this type of invocation. It is possible that either the symbolic link itself or the sticky bit file it represents are the cause of the problem. If the symbolic link has the proper attributes, then the sticky bit file it points to must be checked to ensure it has the proper attributes as described previously. In the message text: pathname The path name in the z/OS UNIX file system that was supplied to the spawn, exec or attach_exec callable service involved in the error. The path name displayed in this message is limited to 64 characters. Note that this path name might not be a fully qualified path name and may be truncated on the left, or it may represent a symbolic link that resolves to the sticky bit file in error. The inode number and device ID should be used to uniquely identify the fully qualified path name for the file or link that is the cause of the error. Once the fully qualified path name is determined, its file attributes can be viewed using the z/OS UNIX shell ls command to determine whether it represents a sticky bit file, a symbolic link or an external link. The following is a ls command example against a file with a fully qualified path name of /u/bin/testpgm that shows the file's attributes: ls -El /u/bin/testpgm devid The device ID (st_dev) of file system containing the file or link. Use the D OMVS,F console command or the z/OS UNIX shell df -v command to determine the path associated with the device ID. A determination should also be made as to whether the file system is mounted as NOSETUID or NOSECURITY, since this can be the cause of the error. The z/OS UNIX shell df command can be used to view the attributes of a file system. The following is a df command example against a file system with a path name of /u/bin/: df -v /u/bin/ inodeno The inode number (st_ino) of file. The z/OS UNIX shell find command can be used to determine the fully qualified path name by supplying to the find command the path name associated with the device ID to start the search from along with the inode number. The following is a find command example where the path name associated with the device ID resolved to /u/bin/ and the inode number value is 1250: find /u/bin/ -xdev -inum 1250 membername The member name of the associated MVS program that was the target of the failing spawn, exec or attach_exec callable service. System Action: There will be an associated abend code EC6 reason code xxxxC04A with this error. Operator Response: Contact the system programmer. System Programmer Response: If the identified MVS program is part of an IBM or another vendor's product, contact IBM or the other vendor that owns this program. Otherwise, if the identified MVS program is one of your installation specific programs then you must determine if it is appropriate for the MVS program to be invoked from a z/OS UNIX environment. The various z/OS UNIX environments can include, but are not limited to, invocation from the z/OS UNIX Shell, BPXBATCH, the z/OS UNIX System Services ISPF Shell a REXX exec using Address Syscall, or a program using the z/OS UNIX exec, spawn or attach_exec services. If this type of invocation is appropriate for the identified program, then you must change the attributes of the file or link as indicated in the explanation of the error. Source: z/OS UNIX System Services kernel (BPX) Detecting Module: BPXPRECP Routing Code: 11 (and hardcopy log) Descriptor Code: 6 z/OS UNIX System Services Planning (GA22-7800-xx) The following new section is to be added: 4.23.8 Creating a sticky bit file or external link for a MVS APF Authorized Program If there is a need from a z/OS UNIX environment to invoke a MVS Program linkedited AC=1 located in an APF-authorized library, a sticky bit file or external link can be set up to point to this program. You need to ensure that the sticky bit file is installed with an owning UID of 0 or with the APF extended attribute, or that the external link is installed with an owning UID of 0. Because a file system mounted as NOSECURITY is considered untrusted, any file or link installed in a file system mounted as NOSECURITY is not considered trusted for this type of invocation. Also, a file with the APF extended attribute is not honored if found in a file system mounted as NOSETUID. Failure to follow this set up will cause the execution of the program to fail when invoked via the z/OS UNIX spawn, exec or attach_exec callable service. z/OS UNIX System Services Programming: Assembler Callable Services Reference (SA22-7803-xx) Usage note 9 for the attach_exec (BPX1ATX and BPX4ATX) callable service should be changed to read as follows: If the specified file name resolves to an external link or a sticky bit file, the program is loaded from the caller's MVS load library search order. For an external link, the external name is used only if the name is eight characters or less; otherwise the caller receives an error from the attach_exec service. For a sticky bit program, the specified file name is used if it is eight characters or less. Otherwise, the program is loaded from the z/OS UNIX file system. If the attach_exec caller is running APF authorized and the specified sticky bit file or link resolves to a MVS program linkedited AC=1 located in an APF-authorized library, the attributes of the sticky bit file or external link must be set up properly to allow this type of invocation. For a sticky bit file, it must be installed with an owning UID of 0 or with the APF extended attribute. The owning UID of 0 requirement would also apply to a symbolic link that resolves to the sticky bit file. For an external link, it must be installed with a owning UID of 0. Also, a file with the APF extended attribute is not allowed if found in a file system mounted as NOSETUID. If the specified file name represents a symbolic link to a sticky bit file that has the set-user-id attribute, the symbolic link must have an owning uid of 0 or an owning uid equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning uid of 0 or an owning gid equal to that of the sticky bit file. A file or link found in a file system mounted as NOSECURITY is not considered trusted for this type of invocation, regardless of its attributes. Failure to follow this set up will cause the task attached to run the MVS program to end abnormally with a EC6-xxxxC04A abend when the MVS program is invoked via the attach_exec service. The following should be added to usage note 14 for the exec (BPX1EXC and BPX4EXC) callable service: If the the specified file or link resolves to a MVS program linkedited AC=1 located in an APF-authorized library, the attributes of the sticky bit file or external link must be set up properly to allow this type of invocation. For a sticky bit file, it must be installed with an owning UID of 0 or with the APF extended attribute. The owning UID of 0 requirement would also apply to a symbolic link that resolves to the sticky bit file. For an external link, it must be installed with a owning UID of 0. Also, a file with the APF extended attribute is not allowed if found in a file system mounted as NOSETUID. If the specified file name represents a symbolic link to a sticky bit file that has the set-user-id attribute, the symbolic link must have an owning uid of 0 or an owning uid equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning uid of 0 or an owning gid equal to that of the sticky bit file. A file or link found in a file system mounted as NOSECURITY is not considered trusted for this type of invocation, regardless of its attributes. Failure to follow this set up will cause the executing job to end abnormally with a EC6-xxxxC04A abend when invoking the MVS program via the exec service. The following usage note should be added for the spawn (BPX1SPN and BPX4SPN) callable service: If the specified file name resolves to an external link or a sticky bit file, the program is loaded from the caller's MVS load library search order. For an external link, the external name is used only if the name is eight characters or less; otherwise the caller receives an error from the spawn service. For a sticky bit program, the file name is used if it is eight characters or less. Otherwise, the program is loaded from the z/OS UNIX file system. If the specified sticky bit file or link resolves to a MVS program linkedited AC=1 located in an APF-authorized library, the attributes of the sticky bit file or external link must be set up properly to allow this type of invocation. For a sticky bit file, it must be installed with an owning UID of 0 or with the APF extended attribute. The owning UID of 0 requirement would also apply to a symbolic link that resolves to the sticky bit file. For an external link, it must be installed with a owning UID of 0. A sticky bit a file with the APF extended attribute is not allowed if found in a file system mounted as NOSETUID. If the specified file name represents a symbolic link to a sticky bit file that has the set-user-id attribute, the symbolic link must have an owning uid of 0 or an owning uid equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning uid of 0 or an owning gid equal to that of the sticky bit file. A file or link found in a file system mounted as NOSECURITY is not considered trusted for this type of invocation, regardless of its attributes. Failure to follow this set up will cause the child process created to run the MVS program to end abnormally with a EC6-xxxxC04A abend when the MVS program is invoked via the spawn service.
Temporary fix
Comments
APAR Information
APAR number
OA41490
Reported component name
OPENMVS SYS SRV
Reported component ID
5695SCPX1
Reported release
780
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-02-19
Closed date
2013-03-04
Last modified date
2013-03-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
SA22762622 | SA22763319 | GA22780018 | SA22780313 |
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 March 2013