Determine whether any programs UNIX-invoke other z/OS UNIX executable programs
Description
Starting with z/OS V2R1, the requirements for the execution or loading of z/OS UNIX executable programs through the z/OS UNIX spawn, exec, loadhfs, loadhfs extended and attach_exec services and the REXX external subroutine and function processing have changed. These changes apply only to the usage of these interfaces by z/OS UNIX set-user-ID or set-group-ID privileged programs. A set-user-ID or set-group-ID privileged program is installed in the z/OS UNIX file system with either the set-user-ID or set-group-ID bit turned on.
The affected interfaces, when invoked from a z/OS UNIX set-user-ID or set-group-ID privileged program, now require that a target z/OS UNIX program file have a file owning UID of 0 or a file owning UID that is equal to that of the set-user-ID program, or have the program control extended attribute turned ON. Additionally, the target z/OS UNIX program file cannot be located in a NoSecurity file system. If any part of the z/OS UNIX path name that resolves to the target z/OS UNIX program file is a symbolic link, the symbolic link also must meet the same requirements.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | z/OS UNIX. |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | No, but recommended even though most, if not all, IBM and vendor products install their z/OS UNIX executable files and associated links into the z/OS UNIX file system with an owning UID of 0. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM Health Checker for z/OS check: | None. |
Steps to take
Before you begin, note that the standard IBM product installation process (SMP/E) installs all product-related files and links with an owning UID of 0 with the possible exception of set-user-id program files.
z/OS UNIX actions to take before the first IPL of z/OS V2R2
- If you are migrating a z/OS system from z/OS V1R13 with APAR OA42093 installed, then no migration actions need to be taken. In this case, it is assumed that you have taken all required actions related to this APAR.
- If you are migrating from a z/OS system that does not have OA42093
installed and use the following IBM products, then you should ensure
that you have the latest service levels and have followed the most
recent install documentation for these IBM products:
- IBM Infoprint Transforms to AFP for z/OS (Ensure that APAR OA42691 is installed)
Otherwise, if you follow the standard install process for z/OS UNIX software, then you should not need to make any further changes related to APAR OA42093. Exceptions to this would be:- If you installed z/OS UNIX executable files and associated symbolic links without using SMP/E.
- If you installed any IBM or other vendor provided z/OS UNIX executable files and associated symbolic links outside the normal SMP/E install process.
- If you installed z/OS UNIX software using SMP/E from a user that is not running with UID 0 and is not permitted to BPX.SUPERUSER.
If any of these exceptions exist on your system, then you might have to change the installation of these files and links. To identify all z/OS executable files and associated symbolic links that need to change, you need to IPL with z/OS V2R2 installed. If any of these files or links are executed, you will then start seeing EC6-xxxxE04B abends along with message BPXP029I in the system log, which identifies the files or links that must be changed. You can then use the documentation for message BPXP029I to correct the files or links that are installed improperly. For more information about message BPXP029I, see z/OS MVS System Messages, Vol 3 (ASB-BPX).
z/OS UNIX actions to perform after the first IPL of z/OS V2R2
If you see EC6-xxxxE04B abends occurring, look for message BPXP029I in the system log to determine the details of the z/OS UNIX files or links involved with the errors and how to correct the problem. This abend is indicative of an attempt to execute, call or load an improperly installed z/OS UNIX executable program file.
For more information about message BPXP029I, see .z/OS MVS System Messages, Vol 3 (ASB-BPX).