Description: Starting in z/OS V2R1, the invocation requirements
for MVS load library programs invoked through the z/OS UNIX spawn,
exec and attach_exec services have changed. These changes apply to
the invocation of MVS programs link-edited AC=1 found in an APF-authorized
library and for MVS load library programs that are to run as a z/OS
UNIX set-user-id or set-group-id program. The following list describes
the changes:
- If the z/OS UNIX pathname that is supplied
to spawn, exec or attach_exec represents an external link that resolves
to an MVS program found in an APF-authorized library and link-edited
with the AC=1 attribute, the external link must have an owning UID
of 0 and not be found in a file system that is mounted as NOSECURITY
to allow this type of invocation.
- If the z/OS UNIX pathname that is supplied
to spawn, exec, or attach_exec represents a regular file with the
sticky bit attribute that resolves to an MVS program found in an APF-authorized
library and link-edited with the AC=1 attribute, the sticky bit file
must have an owning UID of 0 or have the APF extended attribute turned
on to allow this type of invocation. Additionally, the sticky bit
file must not be found in a file system that is mounted as NOSECURITY
to allow this type of invocation.
- If the z/OS UNIX pathname that supplied to
spawn, exec or attach_exec represents a symbolic link to a regular
file with the sticky bit attribute and the sticky bit file has the
set-user-id attribute, the symbolic link must have an owning UID of
0 or an owning UID equal to that of the sticky bit file. If the sticky
bit file has the set-group-id attribute, the symbolic link must have
an owning UID of 0 or an owning GID equal to that of the sticky bit
file. Additionally, the symbolic link must not be found in a file
system that is mounted as NOSECURITY to allow this type of invocation.
| Element or feature: |
z/OS UNIX. |
| When change was introduced: |
z/OS V1R13 and z/OS V1R12, both with APAR OA41101. |
| Applies to migration from: |
z/OS V1R13 and z/OS V1R12 both without APAR
OA41101 applied. |
| Timing: |
Before the first IPL of z/OS V2R1. |
| Is the migration action required? |
No, but recommended even though most, if not
all, IBM and vendor products install their executable files into the
z/OS UNIX file system with an owning UID of 0, so few, if any, executable
files on a customer system should have a problem. |
| Target system hardware requirements: |
None. |
| Target system software requirements: |
See Steps to take. |
| Other system (coexistence or fallback) requirements: |
None. |
| Restrictions: |
None. |
| System impacts: |
None. |
| Related IBM Health Checker for z/OS check: |
None. |
Steps to take before the first IPL: If you are
migrating a z/OS system from z/OS V1R12 or z/OS V1R13 with APAR OA41101
installed, then no migration actions need to be taken. In this case,
it is assumed that you have taken all required actions related to
this APAR. Also see the documentation APAR OA41490.
If you are migrating from a z/OS system that does not have OA41101
installed and use the following IBM products, then you should ensure
that you have the latest service levels and have followed the most
recent install documentation for these IBM products:
- IBM z/OS Problem Determination Tools File Manager Software V10
(see Doc APAR PM81080)
- IBM z/OS Problem Determination Tools File Manager Software V11.1.0
with upgrade subset HADLB10 (ensure that PTF UK91613 is installed)
- IBM z/OS Problem Determination Tools Common Component Software
V1.6.0 with upgrade subset HVWR160 (ensure that PTF UK91612 is installed)
- IBM InfoSphere Data Replication (see Doc APAR PM81306)
- IBM Security zSecure Suite (See Technote 1625364)
- IBM Tivoli Security Information and Event Manager (see Technote
1626384)
You may have to change the installation of some z/OS UNIX files
and links provided by these products.
Otherwise, if you follow the standard install process for z/OS
UNIX software, then you should not need to make any further changes
related to APAR OA41101. Exceptions to this would be:
- If you installed z/OS UNIX sticky bit files, symbolic links or
external links for any of your own software without using SMP/E
- If you installed any IBM or other vendor provided z/OS UNIX sticky
bit files, symbolic links or external links outside the normal SMP/E
install process
- If you installed z/OS UNIX software using SMP/E from a user that
is not running with UID 0 and is not permitted to BPX.SUPERUSER
If any of these exceptions exist on your system, then you might
have to change the installation of these files and links. To identify
all the sticky bit files, symbolic links and external links that need
to change, you need to IPL with z/OS V2R1 installed. If any of these
files or links are executed, you will then start seeing EC6-xxxxC04A
abends along with message BPXP028I in the system log, which identifies
the files or links that must be changed. You can then use the documentation
for message BPXP028I to correct the files or links that are installed
improperly. For more information about message BPXP028I, see z/OS MVS System Messages, Vol 3 (ASB-BPX),.
For steps to take after the first IPL, see Determine if any sticky bit files or external links in your z/OS UNIX file system are involved in the invocation of MVS programs that are link-edited with the AC=1 attribute (Part 2 after IPL of z/OS V2R1).
Reference information: z/OS UNIX System Services Command Reference.