sudo and BPX.DAEMON

Forum|Forum|4 years ago
June 24, 2021
4 replies
0 views

A

Anonymous

Somebody noticed that with the "old" sudo (the one which was downloaded), i.e. sudo 1.8.21p2 005-nokrb it happened that when having an entry like this in /etc/sudoers

JOHNDOE ALL = (PRODUSER) NOPASSWD: /u/produser/bin/daily_cleanup.sh

and then user JOHNDOE does

sudo -u PRODUSER /u/produser/bin/daily_cleanup.sh

the following error messages pop up:

sudo: unable to change to runas uid (189, 189): EDC5139I Operation not permitted.
sudo: unable to execute /u/produser/bin/daily_cleanup.sh: EDC5139I Operation not permitted.

The same time in syslog there pops up an ICH408I message

ICH408I USER(JOHNDOE ) GROUP(BASE ) NAME(DOE, JOHN        )
   BPX.DAEMON CL(FACILITY)
   INSUFFICIENT ACCESS AUTHORITY
   ACCESS INTENT(READ   ) ACCESS ALLOWED(NONE

If user JOHNDOE gets READ access to BPX.DAEMON then above sudo command works fine.

Questions:

1. Is this a known error?

2. If yes is it fixed in the forthcoming sudo_nokrb package which Vladimir said will be available by end of June?

Thanks,

Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

A

Anonymous
0 replies
Forum|Forum|4 years ago
June 24, 2021

Somebody noticed that with the "old" sudo (the one which was downloaded), i.e. sudo 1.8.21p2 005-nokrb it happened that when having an entry like this in /etc/sudoers

JOHNDOE ALL = (PRODUSER) NOPASSWD: /u/produser/bin/daily_cleanup.sh

and then user JOHNDOE does

sudo -u PRODUSER /u/produser/bin/daily_cleanup.sh

the following error messages pop up:

sudo: unable to change to runas uid (189, 189): EDC5139I Operation not permitted.
sudo: unable to execute /u/produser/bin/daily_cleanup.sh: EDC5139I Operation not permitted.

The same time in syslog there pops up an ICH408I message

ICH408I USER(JOHNDOE ) GROUP(BASE ) NAME(DOE, JOHN        )
   BPX.DAEMON CL(FACILITY)
   INSUFFICIENT ACCESS AUTHORITY
   ACCESS INTENT(READ   ) ACCESS ALLOWED(NONE

If user JOHNDOE gets READ access to BPX.DAEMON then above sudo command works fine.

Questions:

1. Is this a known error?

2. If yes is it fixed in the forthcoming sudo_nokrb package which Vladimir said will be available by end of June?

Thanks,

Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Sorry, I didn't carefully read the other threads.

From what I found in other threads it seems I can expect that the new sudo (without kerberos) build will fix this.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

A

Anonymous
0 replies
Forum|Forum|4 years ago
June 29, 2021

Sorry, I didn't carefully read the other threads.

From what I found in other threads it seems I can expect that the new sudo (without kerberos) build will fix this.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Hi there,
Here my feedback regarding installation and testing of sudo_nokrb

1. Installation

Installed via: conda install --channel zoss-appdev sudo_nokrb

I had to manually adjust the sudo binary as it lacked the proper permissions and the correct
extattr settings

2. Tests

2a. Running sudo -l

Works ok but the ICH408I messages complaining about missing READ access to BPX.DAEMON
appears twice.

2b. Running: sudo su -

The command works but the same as above. Two ICH408I mesesages in the syslog.

2c. Running: sudo -u JOHNDOE uname -a

The command works and important. Here I don't see any ICH408I message in the syslog.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

A

Anonymous
0 replies
Forum|Forum|4 years ago
June 29, 2021

Hi there,
Here my feedback regarding installation and testing of sudo_nokrb

1. Installation

Installed via: conda install --channel zoss-appdev sudo_nokrb

I had to manually adjust the sudo binary as it lacked the proper permissions and the correct
extattr settings

2. Tests

2a. Running sudo -l

Works ok but the ICH408I messages complaining about missing READ access to BPX.DAEMON
appears twice.

2b. Running: sudo su -

The command works but the same as above. Two ICH408I mesesages in the syslog.

2c. Running: sudo -u JOHNDOE uname -a

The command works and important. Here I don't see any ICH408I message in the syslog.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Additonal remark: Above tests were don on a z/OS 2.3 system.

I reran the tests on a z/OS 2.4 system and now the ICH408I message appeared only once in those cases where it appeared twice on z/OS 2.3

------------------------------
Manfred Lotz
IBM
------------------------------

+1

Vladimir Ein
Rocketeer
110 replies
Forum|Forum|4 years ago
July 2, 2021

Additonal remark: Above tests were don on a z/OS 2.3 system.

I reran the tests on a z/OS 2.4 system and now the ICH408I message appeared only once in those cases where it appeared twice on z/OS 2.3

------------------------------
Manfred Lotz
IBM
------------------------------

Thanks for your feedback Manfred!

We've added that ICH408I message issue to our backlog and should eventually fix it, even though it seems to be pretty harmless.

Regarding the lack of permissions and extended attributes on the sudo binary, that's the way it's supposed to work - first you install sudo and make sure everything is good and safe, and only then you (or even a different person) define it to program control.

Regards,
Vladimir

------------------------------
Vladimir Ein
Rocket Software
------------------------------

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded