Open-source Languages & Tools for z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software
------------------------------

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.

Let me know if you need more information.
Thanks, Gary

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Original Message:
Sent: 06-07-2021 16:44
From: Vladimir Ein
Subject: Sudo version 1.8.21p2 on z/OS

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.

I noticed a sudo.conf in the examples directory as well and did a diff (results below).

Should the sudo.conf be used/copied to /etc and if so, which one?
thanks

diff sudo.conf examples/sudo.conf

< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Original Message:
Sent: 06-08-2021 16:44
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.

Let me know if you need more information.
Thanks, Gary

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-07-2021 16:44
From: Vladimir Ein
Subject: Sudo version 1.8.21p2 on z/OS

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Hi Gary Grossi,

sudo.conf should be copied to /etc and I believe this one is the right choice:

Plugin sudoers_policy /etc/sudoers
Plugin sudoers_io /etc/sudoers

Thanks,
Alexander

------------------------------
Alexander Klochkov
Rocket Software
------------------------------

Original Message:
Sent: 06-10-2021 09:20
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.

I noticed a sudo.conf in the examples directory as well and did a diff (results below).

Should the sudo.conf be used/copied to /etc and if so, which one?
thanks

diff sudo.conf examples/sudo.conf

< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-08-2021 16:44
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.

Let me know if you need more information.
Thanks, Gary

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-07-2021 16:44
From: Vladimir Ein
Subject: Sudo version 1.8.21p2 on z/OS

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Hello,
Just started user testing with one of the sudo rules.
The user issued:
sudo -l
(ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *

sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh

sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.

What is needed to make this work?
thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Original Message:
Sent: 06-10-2021 09:46
From: Alexander Klochkov
Subject: Sudo version 1.8.21p2 on z/OS

Hi Gary Grossi,

sudo.conf should be copied to /etc and I believe this one is the right choice:

Plugin sudoers_policy /etc/sudoers
Plugin sudoers_io /etc/sudoers

Thanks,
Alexander

------------------------------
Alexander Klochkov
Rocket Software

Original Message:
Sent: 06-10-2021 09:20
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.

I noticed a sudo.conf in the examples directory as well and did a diff (results below).

Should the sudo.conf be used/copied to /etc and if so, which one?
thanks

diff sudo.conf examples/sudo.conf

< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-08-2021 16:44
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.

Let me know if you need more information.
Thanks, Gary

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-07-2021 16:44
From: Vladimir Ein
Subject: Sudo version 1.8.21p2 on z/OS

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Hi Gary,

It's a bug in the build of sudo. The build with the fix is available for customers on support contract since February. Per our policy, fixes are moved from the secure to the public conda channel after a six month delay.

Thanks,

------------------------------
Sergey Rezepin
Rocket Software
------------------------------

Original Message:
Sent: 06-15-2021 10:58
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Hello,
Just started user testing with one of the sudo rules.
The user issued:
sudo -l
(ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *

sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh

sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.

What is needed to make this work?
thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-10-2021 09:46
From: Alexander Klochkov
Subject: Sudo version 1.8.21p2 on z/OS

Hi Gary Grossi,

sudo.conf should be copied to /etc and I believe this one is the right choice:

Plugin sudoers_policy /etc/sudoers
Plugin sudoers_io /etc/sudoers

Thanks,
Alexander

------------------------------
Alexander Klochkov
Rocket Software

Original Message:
Sent: 06-10-2021 09:20
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.

I noticed a sudo.conf in the examples directory as well and did a diff (results below).

Should the sudo.conf be used/copied to /etc and if so, which one?
thanks

diff sudo.conf examples/sudo.conf

< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-08-2021 16:44
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.

Let me know if you need more information.
Thanks, Gary

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions

Original Message:
Sent: 06-07-2021 16:44
From: Vladimir Ein
Subject: Sudo version 1.8.21p2 on z/OS

Hello Gary,

Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.

Thanks again,
Vladimir


------------------------------
Vladimir Ein
Rocket Software

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------

Gary,
If I understand you correctly then

1. sudo works ok
2. but you do get the annoying ICH408 message

This means if you just ignore the ICH408I then all is fine.

Right?

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Original Message:
Sent: 06-04-2021 17:27
From: Gary Grossi
Subject: Sudo version 1.8.21p2 on z/OS

Just started running sudo with a sudoers file that allows me to run ps -ef  to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps

After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource.  What am I missing in configuration?

ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )



thanks

------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------