Open-source Languages & Tools for z/OS

Expand all | Collapse all

Sudo version 1.8.21p2 on z/OS

  • 1.  Sudo version 1.8.21p2 on z/OS

    Posted 17 days ago
    Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
    sudo -l
    (BPXROOT) NOPASSWD: /bin/ps

    After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
    I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

    ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
    BPX.DAEMON CL(FACILITY)
    INSUFFICIENT ACCESS AUTHORITY
    ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



    thanks

    ------------------------------
    Gary Grossi
    IT Director, Z Systems
    Alight Solutions
    ------------------------------


  • 2.  RE: Sudo version 1.8.21p2 on z/OS

    ROCKETEER
    Posted 14 days ago
    Hello Gary,

    Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

    Thanks again,
    Vladimir


    ------------------------------
    Vladimir Ein
    Rocket Software
    ------------------------------



  • 3.  RE: Sudo version 1.8.21p2 on z/OS

    Posted 13 days ago
    Hello Vladimir,
    Thanks for taking the time to respond. It's good news that you have reproduced the issue.
    Hopefully you can find the root cause.

    Let me know if you need more information.
    Thanks, Gary

    ------------------------------
    Gary Grossi
    IT Director, Z Systems
    Alight Solutions
    ------------------------------



  • 4.  RE: Sudo version 1.8.21p2 on z/OS

    Posted 11 days ago
    I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.

    I noticed a sudo.conf in the examples directory as well and did a diff (results below).

    Should the sudo.conf be used/copied to /etc and if so, which one?
    thanks

    diff sudo.conf examples/sudo.conf

    < Plugin sudoers_policy /etc/sudoers
    < Plugin sudoers_io /etc/sudoers
    ---
    > Plugin sudoers_policy sudoers.so
    > Plugin sudoers_io sudoers.so

    ------------------------------
    Gary Grossi
    IT Director, Z Systems
    Alight Solutions
    ------------------------------



  • 5.  RE: Sudo version 1.8.21p2 on z/OS

    ROCKETEER
    Posted 11 days ago
    Hi Gary Grossi,

    sudo.conf should be copied to /etc and I believe this one is the right choice:

    Plugin sudoers_policy /etc/sudoers
    Plugin sudoers_io /etc/sudoers

    Thanks,
    Alexander

    ------------------------------
    Alexander Klochkov
    Rocket Software
    ------------------------------



  • 6.  RE: Sudo version 1.8.21p2 on z/OS

    Posted 6 days ago
    Hello,
    Just started user testing with one of the sudo rules.
    The user issued:
    sudo -l
    (ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *

    sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh

    sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
    sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.

    What is needed to make this work?
    thanks

    ------------------------------
    Gary Grossi
    IT Director, Z Systems
    Alight Solutions
    ------------------------------



  • 7.  RE: Sudo version 1.8.21p2 on z/OS

    ROCKETEER
    Posted 5 days ago

    Hi Gary,

    It's a bug in the build of sudo. The build with the fix is available for customers on support contract since February. Per our policy, fixes are moved from the secure to the public conda channel after a six month delay.

    Thanks,



    ------------------------------
    Sergey Rezepin
    Rocket Software
    ------------------------------