Binyamin, Along these same lines, see if PORT statements for these reserved ports assign SAF values, and then check the profiles protecting them in the SERVAUTH class. The format of the SAF resource name is EZB.PORTACCESS.sysname.tcpname.resname, where 'resname' is the SAF value assigned by the PORT statement. That said, I would have expected you to have seen ICH408I violation messages if this were the case.
Our presentation on SERVAUTH might also be of help in troubleshooting this. https://www.rshconsulting.com/RSHpres/RSH_Consulting__SERVAUTH_Class__June_2021.pdf Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Mon, 17 Jun 2024 15:28:13 -0500 From: Stuart Holland <[email protected]> Subject: Re: RACF permission to INETD OTELNET port? Check the PROFILE.TCPIP data set. PORT statements in there reserve ports to specific job names. Anything else trying to use that port will be rejected. On 6/17/24 1:30 PM, Tom Brennan wrote: > Well that destroys my theory that the problem was caused by a non-root > id :) Like you say, there must be something else involved. Sounds > like you're making progress though. > > Just curious, what made you choose port 323? > > On 6/17/2024 9:26 AM, Binyamin Dissen wrote: >> Changed it to 323 and it works. >> >> I cannot figure out which BPX* resource would control this (23) and how. >> >> On Mon, 17 Jun 2024 06:01:03 -0700 Tom Brennan >> <[email protected]> >> wrote: >> >> :>I'm not sure if Attila was saying to try this, but if you can >> change the >> :>port to something higher than 1024 and the bind works, that would >> :>indicate you're not really root at the time of the bind. Then if the >> :>userid starting the task is root, maybe somebody is doing a >> setuid() or >> :>similar before the bind. >> :> >> :>On 6/17/2024 1:26 AM, Attila Fogarasi wrote: >> :>> Is INETD configured correctly? Your config is in >> etc/inetd/conf*. *TELNET >> :>> is delivered specifying an ID of OMVSKERN and must be defined >> with both >> :>> superuser and daemon authority. Guessing you are using OMVSKERN >> based on >> :>> uid(0). Your port 722 is presumably defined in the /etc/services >> file >> :>> >> :>> On Mon, Jun 17, 2024 at 6:10?PM Attila Fogarasi >> <[email protected]> wrote: >> :>> >> :>>> Brave man running uid(0) for other than the OMVS kernel ... >> usually uid(0) >> :>>> does give superuser authority, but you may need to be in >> group(SYS1) and >> :>>> have a GID. Another possibility is having root as HOME('/'). >> good luck, >> :>>> its frustrating that simply things like getting a reason code for >> :>>> "permission denied" is not so easy. >> :>>> >> :>>> On Mon, Jun 17, 2024 at 5:19?PM Binyamin Dissen < >> :>>> [email protected]> wrote: >> :>>> >> :>>>> Took a dump of the address space, and the associated userid has >> UID(0) >> :>>>> >> :>>>> What else would be required for root access? >> :>>>> >> :>>>> On Mon, 17 Jun 2024 06:29:01 +1000 Attila Fogarasi >> :>>>> <[email protected]> wrote: >> :>>>> >> :>>>> :>port 722 is a privileged port, usually means your program >> needs root >> :>>>> :>access, all of that is configured outside of RACF. >> :>>>> :> >> :>>>> :>On Mon, Jun 17, 2024 at 6:16?AM Binyamin Dissen < >> :>>>> :>[email protected]> wrote: >> :>>>> :> >> :>>>> :>> On Sun, 16 Jun 2024 09:47:20 -0500 Walt Farrell >> :>>>> :>> <[email protected]> wrote: >> :>>>> :>> >> :>>>> :>> :>On Sun, 16 Jun 2024 17:20:34 +0300, Binyamin Dissen < >> :>>>> :>> [email protected]> wrote: >> :>>>> :>> >> :>>>> :>> :>>Getting >> :>>>> :>> >> :>>>> :>> :>>BPXF024I (TCPIP) Jun 16 06:38:15 inetd 65583 : FOMN0091 >> :>>>> *:otelnet/tcp: >> :>>>> :>> :>>722 bind: EDC5111I Permission denied., rsn=744C7246 >> :>>>> :>> >> :>>>> :>> :>>Not sure where it got 722 - looked in all the /etc places. >> :>>>> :>> >> :>>>> :>> :>>Also, what permission would be required to all;ow access >> to 722? >> :>>>> Don't >> :>>>> :>> seer >> :>>>> :>> :>>anything obvious. >> :>>>> :>> >> :>>>> :>> :>What evidence do you have that it's a RACF issue? >> :>>>> :>> >> :>>>> :>> I am guessing from "permission denied" >> :>>>> >> :>>>> -- >> :>>>> Binyamin Dissen <[email protected]> >> :>>>> http://www.dissensoftware.com >> :>>>> >> :>>>> Director, Dissen Software, Bar & Grill - Israel >> :>>>> >> :>>>> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
