Re: OMVS su -
/etc/profile would probably be the correct place to setup the different PATH and other settings. However, to execute that (or any other initialization script) I think requires su - as we were initially discussing. I agree. But the OP's problem is that is it more or less unpredictable which MVS userid will be picked to resolve to an OMVS segment required to find the HOME path. This is why I thought about a workaround and cane up with the idea of su and the ENV script. More than one userid with UID=0 is something I have always felt is a bad design on z/OS. On the Unix side of the fence the UID is the primary identity, so really you have one UID with varying behaviour depending on circumstances. While I basically, I see the need for different tasks to run under different MVS userids. If more than one of those also require root rights when requesting UNIX functions, you end up with multiple userids having uid=0 assigned. Some of the uid=0 requirements may have become obsolete by the UNIXPRIV class profiles. But installation instructions probably (I haven't verified) still say ... must be run with uid=0. I wonder if UNIXPRIV profiles would allow to run z/OS and subsystems completely without uid=0 but corresponding UNIXPRIV authorities instead. Has anyone tried this? -- Peter Hunkeler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
a) the alias's in my .profile get lost after doing a su b) I like to see a different command prompt to remind me Below is my ENV script, which is run whenever a s(sub)shell starts. It tests for the current uid and sets the shell prompt variable PS1 accordingly. It also set my aliases. Note that variables HOSTNAME, HOSTREL, MYLOCALE and MYCODEPAGE are set in my .profile. start of ENV script (next line) - # This is is the shell initialization script pointed to by ENV. # if test $(id -u) = 0 then export PS1='$LOGNAME @ $HOSTNAME($HOSTREL) $MYLOCALE.$MYCODEPAGE $PWD # ' else export PS1='$LOGNAME @ $HOSTNAME($HOSTREL) $MYLOCALE.$MYCODEPAGE $PWD $ ' fi set -o vi set -o logical alias ps='ps -ef -ojobname,user,xasid=ASID -opid,ppid,stime,tty=TTY -oargs' alias psuid='ps -ef -opid,ppid,uid,ruid,gid,rgid -oargs' if test X$TERM = X -o X$TERM = Xdumb then alias clear=printf '\f' else alias clear='tput clear' fi - end of ENV sctipt (previous line)--- -- Peter Hunkeler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
On 27/11/2012 7:39 PM, Hunkeler Peter (KIUP 4) wrote: Why do you do a su - instead of simply su? I consider the dash option to be useful only when switching to another identity as in su - another.userid. You're changing the MVS userid as well as the UNIX uid, so it is sensible to also setup the shell environment to lokk as if you had logged in with that userid. su - is considered good practice in other unix environments because root's environment is likely to be quite different to a normal user's environment. Typically the directories in the PATH are much more restrictive, and there may be directories added that contain programs that are only used by root e.g. /usr/sbin. A regular user might have the current directory in their PATH, root should not. It is considered a security exposure if any directory (or any of the parent directories) in root's PATH is writable by a non-root user. So su - is good practice to ensure that you get an environment that is intended for use with UID 0. Regards Andrew Rowley -- and...@blackhillsoftware.com +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
On Wed, 28 Nov 2012 09:05:26 +0100, Hunkeler Peter (KIUP 4) peter.hunke...@credit-suisse.com wrote: a) the alias's in my .profile get lost after doing a su b) I like to see a different command prompt to remind me Below is my ENV script, which is run whenever a s(sub)shell starts. It tests for the current uid and sets the shell prompt variable PS1 accordingly. It also set my aliases. Note that variables HOSTNAME, HOSTREL, MYLOCALE and MYCODEPAGE are set in my .profile. snip What may not be clear from Peter's post is that you have to specify the name of that script in the ENV environment variable. So in my .profile I have this (in addition to some other exports - which should remain in .profile and not in the ENV script): # set up my environment export ENV=$HOME/@myenv Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
su - is considered good practice in other unix environments because root's environment is likely to be quite different to a normal user's environment. [snip] So su - is good practice to ensure that you get an environment that is intended for use with UID 0. Unfortunately, on z/OS UNIX you typically have more than one userid having uid=0. While not perfect, the different path and other settings could be set from the uid=0 section of the ENV script I posted. Maybe by sourcing a shared script to help those with su authority to set the same values. (The script would be readable my UID=0 only). Mark: Thanks for the remark regarding $ENV. I missed to add it. -- Peter Hunkeler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
We have serveral OMVS userids of 0. Is their any way to control which of those gets utilized when an su - command is entered? I would like it to be the omvs userid each time. Why do you do a su - instead of simply su? I consider the dash option to be useful only when switching to another identity as in su - another.userid. You're changing the MVS userid as well as the UNIX uid, so it is sensible to also setup the shell environment to lokk as if you had logged in with that userid. A su without a userid merely starts a new subshell with euid=0; you still are who you were before the su MVS-wise. It probably would have been better to reject the dash option in this case. -- Peter Hunkeler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
OMVS su -
We have serveral OMVS userids of 0. Is their any way to control which of those gets utilized when an su - command is entered? I would like it to be the omvs userid each time. Some of the UID 0 userids have a home of /, and a couple have no home defined. Seems like the last UID 0 defined is probably the one selected for su - and directory displays. I have defined a /home/root/.profile and added a soft link for /.profile to go there, but if a userid with no home defined is selected, it doesn't activate a .profile script. Owner of those IDs doesn't want them changed to add a home. -- Donald J. dona...@4email.net -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
I know what you mean, Don. For MVS-OE subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO MVS-OE Try that list. They really do know all about this stuff. I recall from the last few years, over 10, this same topic gone over the same add gnausium. Best regards. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Monday, November 26, 2012 8:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: OMVS su - We have serveral OMVS userids of 0. Is their any way to control which of those gets utilized when an su - command is entered? I would like it to be the omvs userid each time. Some of the UID 0 userids have a home of /, and a couple have no home defined. Seems like the last UID 0 defined is probably the one selected for su - and directory displays. I have defined a /home/root/.profile and added a soft link for /.profile to go there, but if a userid with no home defined is selected, it doesn't activate a .profile script. Owner of those IDs doesn't want them changed to add a home. -- Donald J. dona...@4email.net -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
On Mon, 26 Nov 2012 10:17:39 -0800, Donald J. dona...@4email.net wrote: We have serveral OMVS userids of 0. Is their any way to control which of those gets utilized when an su - command is entered? I would like it to be the omvs userid each time. Some of the UID 0 userids have a home of /, and a couple have no home defined. Seems like the last UID 0 defined is probably the one selected for su - and directory displays. I have defined a /home/root/.profile and added a soft link for /.profile to go there, but if a userid with no home defined is selected, it doesn't activate a .profile script. Owner of those IDs doesn't want them changed to add a home. -- AFAIK the one that gets used is the userid defined in BPXPRMxx SUPERUSER(userid) In my case it is BPXROOT. I've never tried changing it to another UID(0) userid, nor would I ever attempt to. BTW, why would whomever defines userids define one with an OMVS segment that doesn't contain a home DIR? Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
No, that's doesn't do it. We have: BROWSESYS1.SY1.PARMLIB(BPXPRM00) - 01 Line 0180 Col 001 080 Command === Scroll === CSR SUPERUSER(BPXROOT) --- su - /home/root === env ... LOGNAME=OMVS /home/root === ll /bin/z* -rwxr-xr-x 3 OMVS 1 188416 Nov 12 2009 /bin/zcat -- BTW, why would whomever defines userids define one with an OMVS segment that doesn't contain a home DIR? I guess because DB2 security manual doesn't specity to do it that way. AFAIK the one that gets used is the userid defined in BPXPRMxx SUPERUSER(userid) In my case it is BPXROOT. I've never tried changing it to another UID(0) userid, nor would I ever attempt to. BTW, why would whomever defines userids define one with an OMVS segment that doesn't contain a home DIR? Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
I don't know of any way to do that. IBM has implemented sudo (1.7.2p2) in the ported tools (at least on my z/OS 1.12 system that's where it is). Personally, with the security hat on, I'd prefer enforcing the use of sudo because you can control and audit it more easily. ref: http://www.sudo.ws/ But I would strongly suggest that you set up the proper RACF profiles to allow superuser-like access while using a regular RACF id. I have a non-zero UID on my login and I have yet to have any need to use sudo or an su - command. I can read/modify/chmod/chtag/chown/chgrp/... any UNIX file. Do a kill command on any UNIX process. Start up daemons (sudo helps a bit on this one). http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZB2C0/4.20 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/bpxzb2c0/4.17 -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Monday, November 26, 2012 12:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: OMVS su - We have serveral OMVS userids of 0. Is their any way to control which of those gets utilized when an su - command is entered? I would like it to be the omvs userid each time. Some of the UID 0 userids have a home of /, and a couple have no home defined. Seems like the last UID 0 defined is probably the one selected for su - and directory displays. I have defined a /home/root/.profile and added a soft link for /.profile to go there, but if a userid with no home defined is selected, it doesn't activate a .profile script. Owner of those IDs doesn't want them changed to add a home. -- Donald J. dona...@4email.net -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS su -
The filesystem has the uid, not the userid. If you have multiple userids using uid(0), then when it maps the uid to a userid it just picks one :-) Kirk Wolf Dovetailed Technologies http://dovetail.com +1 636.300.0901 On Mon, Nov 26, 2012 at 10:48 AM, Donald J. dona...@4email.net wrote: No, that's doesn't do it. We have: BROWSESYS1.SY1.PARMLIB(BPXPRM00) - 01 Line 0180 Col 001 080 Command === Scroll === CSR SUPERUSER(BPXROOT) --- su - /home/root === env ... LOGNAME=OMVS /home/root === ll /bin/z* -rwxr-xr-x 3 OMVS 1 188416 Nov 12 2009 /bin/zcat -- BTW, why would whomever defines userids define one with an OMVS segment that doesn't contain a home DIR? I guess because DB2 security manual doesn't specity to do it that way. AFAIK the one that gets used is the userid defined in BPXPRMxx SUPERUSER(userid) In my case it is BPXROOT. I've never tried changing it to another UID(0) userid, nor would I ever attempt to. BTW, why would whomever defines userids define one with an OMVS segment that doesn't contain a home DIR? Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN