search cancel

ck_process_owner fails with SAF=8 RC=8 RSN=4

book

Article ID: 243395

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

ck_process_owner fails with SAF=8 RC=8 RSN=4 message

shows in the USS events log with the message

Failed - Caller not authorized to use this callable service.

The message is issued to the PFA address space.

The assigned ACID has UID=7 and GID=1 

other components of the message Real Uid:0 Effective UID:0

Saved UID:0 TArget PID:0 

Signal code: Signal n/a for type 3 (getpsent) requests

 

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

CHECK_PROC_OWNER checks to see if the calling process is the owner of a
process being called. This is done in a few ways:

1) the user is superuser
2) the user's UID is same as PROCESS' real or saved UID
3) the user has access to resource SUPERUSER.PROCESS.KILL or
SUPERUSER.PROCESS.GETPSENT - depending on call being made - in the
UNIXPRIV resource class.

8/8:4 on ck_process_owner really means the caller is not
the owner of the process as specified on the call. The reason why the
explanation is put as failing authorization for the callable service is that
a superuser is always given return codes indicating that the caller is the
owner, and the service is usually invoked by a superuser.

But the technical
meaning of the return codes is that the caller does not own the process being
checked. For this call, the caller is considered a superuser if the uid
(either the current or the real uid) is 0 or if the user has access to
UNIXPRIV(SUPERUSER.PROCESS.GETPSENT).

Basically, the ck_process_owner call is trying to determine if the user is a
superuser or has access to UNIXPRIV(SUPERUSER.PROCESS.GETPSENT). It's not
really a violation. Its just trying to determine something. 

Permit the Acid to

UNIXPRIV(SUPERUSER.PROCESS.GETPSENT)

to stop the event being reported.