Open-source Languages & Tools for z/OS

 View Only

  • 1.  sudo and BPX.DAEMON

    Posted 06-24-2021 10:45

    Somebody noticed that with the "old" sudo (the one which was downloaded), i.e. sudo 1.8.21p2 005-nokrb it happened that when having an entry like this in /etc/sudoers

    JOHNDOE  ALL = (PRODUSER) NOPASSWD: /u/produser/bin/daily_cleanup.sh

    and then user JOHNDOE does

    sudo -u PRODUSER /u/produser/bin/daily_cleanup.sh

    the following error messages pop up:

    sudo: unable to change to runas uid (189, 189): EDC5139I Operation not permitted.
    sudo: unable to execute /u/produser/bin/daily_cleanup.sh: EDC5139I Operation not permitted.

    The same time in syslog there pops up an ICH408I message

    ICH408I USER(JOHNDOE ) GROUP(BASE   ) NAME(DOE, JOHN        )
       BPX.DAEMON CL(FACILITY)                                       
       INSUFFICIENT ACCESS AUTHORITY                                 
       ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE  

    If user JOHNDOE gets READ access to BPX.DAEMON then above sudo command works fine.

    Questions:

    1. Is this a known error?

    2. If yes is it fixed in the forthcoming sudo_nokrb package which Vladimir said will be available by end of June?

    Thanks,

    Manfred



    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------



  • 2.  RE: sudo and BPX.DAEMON

    Posted 06-24-2021 14:21
    Sorry, I didn't carefully read the other threads.

    From what I found in other threads it seems I can expect that the new sudo (without kerberos) build will fix this.

    --
    Manfred

    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message


  • 3.  RE: sudo and BPX.DAEMON

    Posted 06-29-2021 08:40
    Hi there,
    Here my feedback regarding installation and testing of sudo_nokrb

    1. Installation

    Installed via: conda install --channel zoss-appdev sudo_nokrb

    I had to manually adjust the sudo binary as it lacked the proper permissions and the correct
    extattr settings


    2. Tests

    2a. Running sudo -l

    Works ok but the ICH408I messages complaining about missing READ access to BPX.DAEMON
    appears twice.


    2b. Running: sudo su -

    The command works but the same as above. Two ICH408I mesesages in the syslog.

    2c. Running: sudo -u JOHNDOE uname -a

    The command works and important. Here I don't see any ICH408I message in the syslog.

    --
    Manfred


    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message


  • 4.  RE: sudo and BPX.DAEMON

    Posted 06-29-2021 09:02
    Additonal remark: Above tests were don on a z/OS 2.3 system.

    I reran the tests on a z/OS 2.4 system and now the ICH408I message appeared only once in those cases where it appeared twice on z/OS 2.3

    ------------------------------
    Manfred Lotz
    IBM
    ------------------------------

    Original Message


  • 5.  RE: sudo and BPX.DAEMON

    ROCKETEER
    Posted 07-02-2021 15:43
    Thanks for your feedback Manfred!

    We've added that ICH408I message issue to our backlog and should eventually fix it, even though it seems to be pretty harmless.

    Regarding the lack of permissions and extended attributes on the sudo binary, that's the way it's supposed to work - first you install sudo and make sure everything is good and safe, and only then you (or even a different person) define it to program control.

    Regards,
    Vladimir

    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------

    Original Message