Just started running sudo with a sudoers file that allows me to run ps -ef to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps
After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource. What am I missing in configuration?
ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
+1- Rocketeer
- 110 replies
Just started running sudo with a sudoers file that allows me to run ps -ef to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps
After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource. What am I missing in configuration?
ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
sudo -l
(BPXROOT) NOPASSWD: /bin/ps
After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource. What am I missing in configuration?
ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.
Thanks again,
Vladimir
------------------------------
Vladimir Ein
Rocket Software
------------------------------
Hello Gary,
Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.
Thanks again,
Vladimir
------------------------------
Vladimir Ein
Rocket Software
------------------------------
Thanks for reporting the issue. You're probably not missing anything. At this point I can't tell for sure what's causing the message to appear; we've successfully recreated it in-house and this will require some research. Please note that we have to prioritize our work for customers that are paying for support, so the research might take some time.
Thanks again,
Vladimir
------------------------------
Vladimir Ein
Rocket Software
------------------------------
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.
Let me know if you need more information.
Thanks, Gary
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
Hello Vladimir,
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.
Let me know if you need more information.
Thanks, Gary
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
Thanks for taking the time to respond. It's good news that you have reproduced the issue.
Hopefully you can find the root cause.
Let me know if you need more information.
Thanks, Gary
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
I noticed a sudo.conf in the examples directory as well and did a diff (results below).
Should the sudo.conf be used/copied to /etc and if so, which one?
thanks
diff sudo.conf examples/sudo.conf
< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
+1- Rocketeer
- 141 replies
I copied the sudo.conf file from the doc directory to /etc and still see the ICH408I security message in the log.
I noticed a sudo.conf in the examples directory as well and did a diff (results below).
Should the sudo.conf be used/copied to /etc and if so, which one?
thanks
diff sudo.conf examples/sudo.conf
< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
I noticed a sudo.conf in the examples directory as well and did a diff (results below).
Should the sudo.conf be used/copied to /etc and if so, which one?
thanks
diff sudo.conf examples/sudo.conf
< Plugin sudoers_policy /etc/sudoers
< Plugin sudoers_io /etc/sudoers
---
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
sudo.conf should be copied to /etc and I believe this one is the right choice:
Plugin sudoers_policy /etc/sudoers
Plugin sudoers_io /etc/sudoers
Thanks,
Alexander
------------------------------
Alexander Klochkov
Rocket Software
------------------------------
Hi Gary Grossi,
sudo.conf should be copied to /etc and I believe this one is the right choice:
Thanks,
Alexander
------------------------------
Alexander Klochkov
Rocket Software
------------------------------
sudo.conf should be copied to /etc and I believe this one is the right choice:
Plugin sudoers_policy /etc/sudoers
Plugin sudoers_io /etc/sudoers
Thanks,
Alexander
------------------------------
Alexander Klochkov
Rocket Software
------------------------------
Just started user testing with one of the sudo rules.
The user issued:
sudo -l
(ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *
sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh
sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.
What is needed to make this work?
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
+1- Rocketeer
- 73 replies
Hello,
Just started user testing with one of the sudo rules.
The user issued:
sudo -l
(ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *
sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh
sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.
What is needed to make this work?
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
Just started user testing with one of the sudo rules.
The user issued:
sudo -l
(ZZJAVA) NOPASSWD: /global/app1/PRD/scripts/java-oper.sh *
sudo -u ZZJAVA /global/app1/PRD/scripts/java-oper.sh
sudo: unable to change to runas uid (89, 89): EDC5139I Operation not permitted.
sudo: unable to execute /global/app1/PRD/scripts/java-oper.sh: EDC5139I Operation not permitted.
What is needed to make this work?
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
Hi Gary,
It's a bug in the build of sudo. The build with the fix is available for customers on support contract since February. Per our policy, fixes are moved from the secure to the public conda channel after a six month delay.
Thanks,
------------------------------
Sergey Rezepin
Rocket Software
------------------------------
Just started running sudo with a sudoers file that allows me to run ps -ef to see all USS processes running.
sudo -l
(BPXROOT) NOPASSWD: /bin/ps
After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource. What am I missing in configuration?
ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
sudo -l
(BPXROOT) NOPASSWD: /bin/ps
After issuing sudo ps -ef, I see the expected output but noticed two of these RACF error messages in the system log.
I wouldn't expect to need READ access to the resource. What am I missing in configuration?
ICH408I USER(xxxxxxxx ) GROUP(xxxxxxxx ) NAME(xxxxxxxx )
BPX.DAEMON CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
thanks
------------------------------
Gary Grossi
IT Director, Z Systems
Alight Solutions
------------------------------
If I understand you correctly then
- sudo works ok
- but you do get the annoying ICH408 message
This means if you just ignore the ICH408I then all is fine.
Right?
--
Manfred
------------------------------
Manfred Lotz
IBM
------------------------------
Sign up
Already have an account? Login
Welcome to the Rocket Forum!
Please log in or register:
Employee Login | Registration Member Login | RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
