TSSOERPT 8/8:4 on R_IPC_ctl service routine
search cancel

TSSOERPT 8/8:4 on R_IPC_ctl service routine

book

Article ID: 12604

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction



The following is seen in the TSSOERPT. What does it mean? 

 

SERVICE USERID GROUP UID GID SAF RC RSN 

DATE TIME JOBNAME SOURCE SYSID CPU SECLABEL 

 

R_IPC_ctl WWWSERV WWWGROUP 228 207 8 8 4 

01/09/17 17.009 13.03.35 IMWEBSRV SYP 

Failed - The user is not authorized 

Old Permission bits - Owner: Group: --- Other: -wx 

New Permission bits - Owner: rw- Group: --- Other: --- 

Function code: Check Owner for Remove ID 

New UID value: 0 New GID value: 

Old UID value: 88 Old GID value: 

Access code: No Access 

Function: msgctl 

IPC key from CR 18713860 

IPC ID from CRE 4 

User Type: Local 

IPC key from II 18713860 

IPC ID from IIS 4 

Owner eff UID: 3000280 Owner eff GID: 1 

Create eff UID: 3000280 Create eff GID: 1 

S_IRUSR: Process owning the IPC member can read it 

S_IWUSR: Process owning the IPC member can alter it 

S_IRGRP: Group associated with the IPC member cannot read it 

S_IWGRP: Group associated with the IPC member cannot alter it 

S_IROTH: Others cannot read the IPC member 

S_IWOTH: Others cannot alter the IPC member

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

The R_IPC_ctl service routine performs a function based on the function code in the parameter list. In this event, the Function code is: Check Owner for Remove ID. 

The 8 8 4 (from the first line) for this indicates the user (WWWSERV) is not authorized for Check Owner for Remove ID. 

From the IBM documentation at link 

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/ich2d100331.htm 

 

d.If the function is Check Owner for Remove ID, the user must be either a superuser or the effective UID of the process must match either the owner's UID or creator's UID in the IISP for a successful completion. Otherwise, the user is not authorized. 

Note: If the caller is unauthorized as stated above, an authorization check is performed on the resource name in the UNIXPRIV class indicated in Table 1. If the authorization check is successful, the caller is treated as a superuser. 

 

Table 1. UNIXPRIV class resource names used in R_IPC_ctl 

Function code Resource name Access required 

1-Check Owner for Remove ID SUPERUSER.IPC.RMID READ