Determine whether any of your installed products include z/OS UNIX set-user-ID or set-group-ID privileged programs that invoke other z/OS UNIX executable programs

Description:  Starting in z/OS V2R1, the requirements for the execution or loading of z/OS UNIX executable programs through the z/OS UNIX spawn, exec, loadhfs, loadhfs extended and attach_exec services and the REXX external subroutine and function processing have changed. These changes apply only to the usage of these interfaces by z/OS UNIX set-user-ID or set-group-ID privileged programs. A set-user-ID or set-group-ID privileged program is installed in the z/OS UNIX file system with either the set-user-ID or set-group-ID bit turned on.

The affected interfaces, when invoked from a z/OS UNIX set-user-ID or set-group-ID privileged program, now require that a target z/OS UNIX program file have a file owning UID of 0 or a file owning UID that is equal to that of the set-user-ID program, or have the program control extended attribute turned ON. Additionally, the target z/OS UNIX program file cannot be located in a NoSecurity file system. If any part of the z/OS UNIX path name that resolves to the target z/OS UNIX program file is a symbolic link, the symbolic link also must meet the same requirements.

Steps to take: Before you begin, note that the standard IBM product installation process (SMP/E) installs all product-related files and links with an owning UID of 0 with the possible exception of set-user-id program files.

z/OS UNIX actions to take before the first IPL of z/OS V2R1

  • If you are migrating a z/OS system from z/OS V1R12 or z/OS V1R13 with APAR OA42093 installed, then no migration actions need to be taken. In this case, it is assumed that you have taken all required actions related to this APAR.
  • If you are migrating from a z/OS system that does not have OA42093 installed and use the following IBM products, then you should ensure that you have the latest service levels and have followed the most recent install documentation for these IBM products:
    1. IBM Infoprint Transforms to AFP for z/OS (Insure APAR OA42691 is installed)
    Otherwise, if you follow the standard install process for z/OS UNIX software, then you should not need to make any further changes related to APAR OA42093. Exceptions to this would be:
    • If you installed z/OS UNIX executable files and associated symbolic links without using SMP/E.
    • If you installed any IBM or other vendor provided z/OS UNIX executable files and associated symbolic links outside the normal SMP/E install process.
    • If you installed z/OS UNIX software using SMP/E from a user that is not running with UID 0 and is not permitted to BPX.SUPERUSER.
    If any of these exceptions exist on your system, then you might have to change the installation of these files and links. To identify all z/OS executable files and associated symbolic links that need to change, you need to IPL with z/OS V2R1 installed. If any of these files or links are executed, you will then start seeing EC6-xxxxE04B abends along with message BPXP029I in the system log, which identifies the files or links that must be changed. You can then use the documentation for message BPXP029I to correct the files or links that are installed improperly. For more information about message BPXP029I, see z/OS MVS System Messages, Vol 3 (ASB-BPX).

z/OS UNIX actions to perform after the first IPL of z/OS V2R1

If you see EC6-xxxxE04B abends occurring, look for message BPXP029I in the system log to determine the details of the z/OS UNIX files or links involved with the errors and how to correct the problem. This abend is indicative of an attempt to execute, call or load an improperly installed z/OS UNIX executable program file. For more information about message BPXP029I, see .z/OS MVS System Messages, Vol 3 (ASB-BPX)

Reference information: See the following information:
Parent topic: z/OS UNIX actions to perform before the first IPL of z/OS V2R1
Parent topic: z/OS UNIX actions to perform before the first IPL of z/OS V2R1