I have a regular user using USS under z/OS and they can switch to a Superuser logonid without knowing the password, or even a STC logonid. What is checked when a user switches to another user using the SU command in USS?

book

Article ID: 38558

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Problem: 

I was testing doing a switch in USS to another user that was a Superuser.  I am being allowed.  I am prompted to enter the password but there is none since the logonid I am trying to switch to is a STC.  So just hitting enter allows me in.  How can I stop this?

list apache
APACHE       AB1246CCTECHAPACHE APACHE WEB SERVER
                  COMP(AB12) CUST(46CC) DEPT(TECH)
PRIVILEGES  STC 

 list testid1

TESTID1      AB1246CCTECHTEST1ID TEST1 LOGONID
                  COMP(AB12) CUST(46CC) DEPT(TECH)

The test id was used to logon to USS:

$
$ whoami
TESTID1
$
$su APACHE
FSUM5019 Enter the password for APACHE                 <== then ENTER was hit
$
$whoami
APACHE

Cause:

z/OS can make a resource request for a user to be a surrogate of another user.  That is where the FSUM5019 comes into play.  

Resolution:

Adding TRACE on a logonid will help determine what access was allowed.  

TSO ACF
SET LID
CHANGE TESTID1 TRACE

In this case, a SECTRACE was also done that looked like this:

SMFID= TEST TOD= hh:mm:ss.mm TRACEID= TESTTRACE USERID= TESTID 
JOBNAME= TESTID ASID= 00AA PGM= *PATHNAM CURR RB= *PATHNAM 
SFR/RFR= 0/0:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE 
SAFDEF= SAFALL  INTERNAL MODE= GLOBAL 

RACROUTE REQUEST=AUTH,CLASS='SURROGAT',RELEASE=1.9.2,STATUS=NONE, 
ATTR=READ,DSTYPE=N,ENTITYX=('BPX.SRV.APACHE',PRIVATE), 
FILESEQ=0,GENERIC=ASIS,LOG=NOSTAT,MSGSP=0,TAPELBL=STD, 
WORKA= 

Looking at the ACFRPTRV report for the user trace information, we found this:

RSUR-BPX.SRV.APACHE TRC RSUR-BPX.SRV.**************************
AB1246CCTECHAPACHE TEST ACF9CAUT RULE - DIRECTRY READ
YY.DDD MM/DD HH.MM source TESTID1 TEST1 LOGONID 0 0 0 0 0
SAF RESOURCE CLASS SURROGAT

RESOURCE NAME: BPX.SRV.APACHE 

So looking at the Lookup Key rule; 

$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) ALLOW

This rule allowed all users to do the switch command in USS.  The ALLOW should be changed to a PREVENT and only authorized users should have an ALLOW statement.

$KEY(BPX.SRV.********************************) TYPE(SUR)
UID(*) PREVENT

 

Environment

Release:
Component: ACF2MS