I was testing doing a switch in USS to another user that was a Superuser. I am being allowed. I am prompted to enter the password but there is none since the logonid I am trying to switch to is a STC. So just hitting enter allows me in. How can I stop this?
list apache
APACHE uid of apache server APACHE WEB SERVER
COMP(yyyy) CUST(xxx) DEPT(zzzz)
PRIVILEGES STC
list testid1
TESTID1 uid of testid1 TEST1 LOGONID
COMP(yyyy) CUST(xxxx) DEPT(zzzz)
The test id was used to logon to USS:
$
$ whoami
TESTID1
$
$su APACHE
FSUM5019 Enter the password for APACHE <== then ENTER was hit
$
$whoami
APACHE
z/OS can make a resource request for a user to be a surrogate of another user. That is where the FSUM5019 comes into play.
Adding TRACE on a logonid will help determine what access was allowed.
TSO ACF
SET LID
CHANGE TESTID1 TRACE
In this case, a SECTRACE was also done that looked like this:
SMFID= TEST TOD= hh:mm:ss.mm TRACEID= TESTTRACE USERID= TESTID
JOBNAME= TESTID ASID= 00xx PGM= *PATHNAM CURR RB= *PATHNAM
SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= SAFALL INTERNAL MODE= GLOBAL
RACROUTE REQUEST=AUTH,CLASS='SURROGAT',RELEASE=1.9.2,STATUS=NONE,
ATTR=READ,DSTYPE=N,ENTITYX=('BPX.SRV.APACHE',PRIVATE),
FILESEQ=0,GENERIC=ASIS,LOG=NOSTAT,MSGSP=0,TAPELBL=STD,
WORKA=
Looking at the ACFRPTRV report for the user trace information, we found this:
RSUR-BPX.SRV.APACHE TRC RSUR-BPX.SRV.**************************
uid of apache serverTEST ACF9CAUT RULE - DIRECTRY READ
YY.DDD MM/DD HH.MM source TESTID1 TEST1 LOGONID 0 0 0 0 0
SAF RESOURCE CLASS SURROGAT
RESOURCE NAME: BPX.SRV.APACHE
So looking at the Lookup Key rule;
$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) ALLOW
This rule allowed all users to do the switch command in USS. The ALLOW should be changed to a PREVENT and only authorized users should have an ALLOW statement.
$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) PREVENT