Re: SFTP and FSSEC error
By defining that resource (as discrete, not generic) you allow users to change ownership of files that they own. Seems like a good fit for the problem you're seeing. Mark Jacobs On 08/24/11 15:36, Bruce Wheatley wrote: Mark, No it's never been defined. Is it recommended for SFTP? Thanks. Mark Jacobsmark.jac...@custserv.com Sent by: IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu 08/24/2011 02:47 PM Please respond to IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: SFTP and FSSEC error Do you have the CHOWN.UNRESTRICTED profile in the UNIXPRIV class defined in your security product? Mark Jacobs On 08/24/11 14:28, Bruce Wheatley wrote: Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- Mark Jacobs Time Customer Service Tampa, FL Some people are electrifying, they light up a room when they leave. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SFTP and FSSEC error
Do you see this when running the z/OS sftp client or the sftp-server (IOW, the ssh client or sshd)? If the client, add the option -vvv and post the log. If the server, check syslogd for the sshd daemon for messages. Although there isn't quite enough information to make a good guess, I suspect that this might have something to do with SSHD privilege separation. In the Ported Tools OpenSSH, there are some specific RACF steps that need to be made to set up the privilege separation userid. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Aug 24, 2011 at 1:28 PM, Bruce Wheatley bwheat...@cds.ca wrote: Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SFTP and FSSEC error
Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SFTP and FSSEC error
Do you have the CHOWN.UNRESTRICTED profile in the UNIXPRIV class defined in your security product? Mark Jacobs On 08/24/11 14:28, Bruce Wheatley wrote: Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- Mark Jacobs Time Customer Service Tampa, FL Some people are electrifying, they light up a room when they leave. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SFTP and FSSEC error
Mark, No it's never been defined. Is it recommended for SFTP? Thanks. Mark Jacobs mark.jac...@custserv.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 08/24/2011 02:47 PM Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: SFTP and FSSEC error Do you have the CHOWN.UNRESTRICTED profile in the UNIXPRIV class defined in your security product? Mark Jacobs On 08/24/11 14:28, Bruce Wheatley wrote: Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- Mark Jacobs Time Customer Service Tampa, FL Some people are electrifying, they light up a room when they leave. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html