SHOW UNIXOPTS command has 4 new fields BPX.NEXT.USER ACTIVE ; FSACCESS CHECKING ; DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS ; TRACE USE OF BPX.DEFAULT.USER UID AND GID - what do they show?
search cancel

SHOW UNIXOPTS command has 4 new fields BPX.NEXT.USER ACTIVE ; FSACCESS CHECKING ; DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS ; TRACE USE OF BPX.DEFAULT.USER UID AND GID - what do they show?

book

Article ID: 18546

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Description:

There are new messages in the ACF SHOW UNIXOPTS display that are a result of new GSO UNIXOPTS fields and enhancements. The documentation updates for these new fields and messages will be included in updates to the ACF2 documentation in the near future. New display fields:

  1. BPX.NEXT.USER ACTIVE: YES AUTOIDOM SYSID: ****

  2. FSACCESS CHECKING: YES

  3. DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS: NO

  4. TRACE USE OF BPX.DEFAULT.USER UID AND GID: YES

Solution:

The following describes the SHOW UNIXOPTS display message and the corresponding GSO fields that control the display status.

Sample show UNIXOPTS:

  • UNIXOPTS OPENEDITION/MVS/UNIX SYSTEM SERVICES (USS) SUMMARY

    OMVS DEFAULT USER: OMVSDUSR
    OMVS DEFAULT GROUP: OMVSGRP
    MAX NUMBER OF OMVS GROUPS: 300
    HFS SECURITY ACTIVE: YES
    HFSACL ACTIVE: NO
    FILE.GROUPOWNER.SETGID ACTIVE: NO
    OMVS MODEL USER: MODLUSER
    BPX.UNIQUE.USER ACTIVE: NO

    BPX.NEXT.USER ACTIVE: YES AUTOIDOM SYSID: XXXX
    FSACCESS CHECKING: YES
    DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS: NO
    TRACE USE OF BPX.DEFAULT.USER UID AND GID: NO

  • AUDIT FLAG STATUS

    CHOWN_RESTRICTED: YES
    DIRACC_ACTIVE: NO
    DIRSRCH_ACTIVE: NO
    FSOBJ_ACTIVE: NO
    FSSEC_ACTIVE: NO
    IPCOBJ_ACTIVE: NO
    PROCACT_ACTIVE: NO
    PROCESS_ACTIVE: NO

New UNIXOPTS fields

FSACCESS CHECKING: YES corresponds to the GSO UNIXOPTS
BYP-FSA|NOBYP-FSA (default is NOBYP-FSA) |
BYP-FSA|NOBYP-FSA

A new GSO UNIXOPTS record field called BYP-FSA|NOBYP-FSA (default is NOBYP-FSA) that allows customers to disable FASTAUTH calls for FSACCESS class resources.

BPX.NEXT.USER ACTIVE: YES|NO is determined by the existence of the AUTOIDOM GSO record. The value will be YES if the AUTOIDOM record exists and NO if there is no AUTOIDOM record.

DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS: YES|NO corresponds to the GSO UNIXOPTS DENYEXEC|NODENYEXEC

DENYEXEC | NODENYEXEC (default is NODENYEXEC)

Modifies authorization checks for UID 0 execute attempts for HFS and zFS files that have no execute permissions assigned. Standard Unix checks would fail UID 0 attempts to execute such files, but ACF2 allows execution of the file if the caller has READ authority to SUPERUSER.FILESYS in the UNIXPRIV class. When DENYEXEC is specified, ACF2 ACF2 processing fails the UID 0 execute attempt without proceeding to check the SUPERUSER.FILESYS UNIXPRIV class resource.

TRACE USE OF BPX.DEFAULT.USER UID AND GID: NO|YES corresponds to the GSO UNIXOPTS TRACEDFT | NOTRACEDFT (default is NOTRACEDFT)

Enables tracing of initUSP callable service requests that use the default OMVS UID and/or GID defined in BPX.DEFAULT.USER. This is primarily intended as a tool to assist sites migrating to z/OS 2.1 since BPX.DEFAULT.USER no longer exists at z/OS 2.1 and above. With TRACEDFT enabled the traced initUSP calls are reported on ACFRPTOM with "Successful - UID or GID came from BPX.DEFAULT.USER" to indicate that the UID or GID came from BPX.DEFAULT.USER.

Environment

Release: ACF2..001AO-15-ACF2
Component:

Resolution

-