z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Switching in and out of superuser authority

z/OS UNIX System Services Planning
GA32-0884-00

You can switch in and out of superuser authority. This discussion assumes that the installation has not assigned UID(0) to its superusers. Instead, each user has a unique UID and has been permitted to the BPX.SUPERUSER resource in the FACILITY class.

You can use any of the following methods to gain superuser authority:
  • Enter the shell using the OMVS command and then issue the su command with no operands. This creates a nested shell that runs with superuser authority.

    Programs that change the security environment cannot run in a multiprocess address space.

    Tip: When running in this manner, editing a file with the OEDIT command (OEDIT with PF6) returns you to the TSO/E address space where your original authority is still in place.

  • Enter the ISPF shell using the ISHELL command or a dialog selection. From the ISPF shell, you can select the option to switch to superuser state. You can then manage the file system using ISPF shell functions while in the superuser state.

    If you enter the ISPF shell, switch to superuser and then exit the ISPF shell, you might lose superuser authority. If the ISPF shell is the only process in the address space, you will lose all connection to kernel services when the ISPF shell terminates. If there is another dubbed process in this address space (for example, another ISPF shell, or a local shell), it will share the UID with the ISPF shell process. For example, you can open an ISPF shell on both sides of a split screen. When you toggle to superuser in one ISPF shell, it affects the address space and therefore, both ISPF shells are now superuser. Regardless of which ISPF shell terminates first, the address space retains its UIDs until the ISPF shell is used to toggle back, or the last process is undubbed.

  • Enter the shell using rlogin or telnet. Once in the shell, enter the su command to create a nested shell that runs with superuser authority.
  • After gaining superuser authority in the ISPF shell, you can split the screen in ISPF and enter the OMVS command. The shell that is started inherits the superuser authority set up in the ISPF shell. For privileged shells (when the effective UID does not match the real UID, or the effective GID does not match the real GID) $HOME/.profile is not run. If the file /etc/suid_profile exists, it will be run.
  • If you are permitted to the BPX.SUPERUSER resource, then you can get superuser access through REXX.
  • Use the su command from BPXBATCH. Run a job using BPXBATCH following one of these examples that shows a copy of the file:
    • On the PARM= statement, include: 
      SH echo cp /etc/profile /etc/junk | su
      This pipes the result of the echo command (that is, the copy command) into the su command.
    • With PARM='SH su', code:
      //STDIN  DD  PATH '/yourpath/input.stuff',PATHOPTS=(ORDONLY)
    • With no parameters coded at all, create a file that has the su command in it.
      //BATBPX1  EXEC  PGM=BPXBATCH
//STDIN  DD PATH='/yourpath/suinput.stuff',PATHOPTS=(ORDONLY)
      In the suinput.stuff section, you would have the su command followed by the copy command. These are commands as you would have entered them from the console if you had been running in the z/OS UNIX shell.

Also, when you set up your own $HOME/.profile as superuser, specify the /usr/sbin directory in your PATH environment variable because certain superuser utilities are in that directory instead of the /bin directory, such as automount. For more information about the profile, see Customizing $HOME/.profile.

Parent topic: Using the BPX.SUPERUSER resource in the FACILITY class

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014