Problem:
I was testing doing a switch in USS to another user that was a Superuser. I am being allowed. I am prompted to enter the password but there is none since the logonid I am trying to switch to is a STC. So just hitting enter allows me in. How can I stop this?
list apache
APACHE AB1246CCTECHAPACHE APACHE WEB SERVER
COMP(AB12) CUST(46CC) DEPT(TECH)
PRIVILEGES STC
list testid1
TESTID1 AB1246CCTECHTEST1ID TEST1 LOGONID
COMP(AB12) CUST(46CC) DEPT(TECH)
The test id was used to logon to USS:
$
$ whoami
TESTID1
$
$su APACHE
FSUM5019 Enter the password for APACHE <== then ENTER was hit
$
$whoami
APACHE
Cause:
z/OS can make a resource request for a user to be a surrogate of another user. That is where the FSUM5019 comes into play.
Resolution:
Adding TRACE on a logonid will help determine what access was allowed.
TSO ACF
SET LID
CHANGE TESTID1 TRACE
In this case, a SECTRACE was also done that looked like this:
SMFID= TEST TOD= hh:mm:ss.mm TRACEID= TESTTRACE USERID= TESTID
JOBNAME= TESTID ASID= 00AA PGM= *PATHNAM CURR RB= *PATHNAM
SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= SAFALL INTERNAL MODE= GLOBAL
RACROUTE REQUEST=AUTH,CLASS='SURROGAT',RELEASE=1.9.2,STATUS=NONE,
ATTR=READ,DSTYPE=N,ENTITYX=('BPX.SRV.APACHE',PRIVATE),
FILESEQ=0,GENERIC=ASIS,LOG=NOSTAT,MSGSP=0,TAPELBL=STD,
WORKA=
Looking at the ACFRPTRV report for the user trace information, we found this:
RSUR-BPX.SRV.APACHE TRC RSUR-BPX.SRV.**************************
AB1246CCTECHAPACHE TEST ACF9CAUT RULE - DIRECTRY READ
YY.DDD MM/DD HH.MM source TESTID1 TEST1 LOGONID 0 0 0 0 0
SAF RESOURCE CLASS SURROGAT
RESOURCE NAME: BPX.SRV.APACHE
So looking at the Lookup Key rule;
$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) ALLOW
This rule allowed all users to do the switch command in USS. The ALLOW should be changed to a PREVENT and only authorized users should have an ALLOW statement.
$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) PREVENT