Determine whether certain files are involved with link-edited programs with AC=1 (Part 2)

Description

Starting in z/OS V2R2 and with the PTFs for APAR OA45793 installed, the invocation requirements for MVS load library programs invoked through the z/OS UNIX spawn, exec and attach_exec services have changed. These changes apply to the invocation of MVS programs link-edited AC=1 found in an APF-authorized library and for MVS load library programs that are to run as a z/OS UNIX set-user-id or set-group-id program. The following list describes the changes:

If the z/OS UNIX pathname that is supplied to spawn, exec or attach_exec represents an external link that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the external link must have an owning UID of 0 and not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
If the z/OS UNIX pathname that is supplied to spawn, exec, or attach_exec represents a regular file with the sticky bit attribute that resolves to an MVS program found in an APF-authorized library and link-edited with the AC=1 attribute, the sticky bit file must have an owning UID of 0 or have the APF extended attribute turned on to allow this type of invocation. Additionally, the sticky bit file must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.
If the z/OS UNIX pathname that supplied to spawn, exec or attach_exec represents a symbolic link to a regular file with the sticky bit attribute and the sticky bit file has the set-user-id attribute, the symbolic link must have an owning UID of 0 or an owning UID equal to that of the sticky bit file. If the sticky bit file has the set-group-id attribute, the symbolic link must have an owning UID of 0 or an owning GID equal to that of the sticky bit file. Additionally, the symbolic link must not be found in a file system that is mounted as NOSECURITY to allow this type of invocation.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature:	z/OS UNIX.
When change was introduced:	z/OS V1R13 and z/OS V1R12, both with APAR OA41101.
Applies to migration from:	z/OS V1R13 without APAR OA41101 applied.
Timing:	After the first IPL of z/OS V2R2. (For steps to take before the first IPL, see Determine whether certain files are involved with link-edited programs with AC=1 (Part 1)).
Is the migration action required?	No, but recommended even though most, if not all, IBM and vendor products install their executable files into the z/OS UNIX file system with an owning UID of 0, so few, if any, executable files on your system should have a problem.
Target system hardware requirements:	None.
Target system software requirements:	None.
Other system (coexistence or fallback) requirements:	None.
Restrictions:	None.
System impacts:	None.
Related IBM Health Checker for z/OS check:	None.

Steps to take after the first IPL

If you see EC6-xxxxC04A abends occurring, look for message BPXP028I in the system log to determine the details of the z/OS UNIX files or links and MVS programs involved with the errors and how to correct the problem. This abend is indicative of an attempt to execute an improperly installed z/OS UNIX sticky bit file, symbolic link or external link that resolves to a MVS program.

For more information about message BPXP028I, see z/OS MVS System Messages, Vol 3 (ASB-BPX).

For the steps to take before the first IPL, see Determine whether certain files are involved with link-edited programs with AC=1 (Part 1).

Reference information

For more information, see z/OS UNIX System Services Command Reference.