Defining a user ID for the PAS


To access UNIX System Services data, the BMC AMI Ops Monitor for UNIX System Services product address space (PAS) must have superuser authority.

Make sure that PAS has a user ID defined to the security system (such as IBM RACF) and assigned to the PAS STC by the security system’s facilities. For RACF, update either the RACF started procedure table (ICHRIN03) or the STARTED class definition.

IBM recommends not running with UID=0. We recommend that the user ID have an OMVS segment with an assigned home directory of /. A user ID that has an OMVS segment with a non-zero UID must have authorized READ access to one of the following class resources:

  • Facility class resource BPX.SUPERUSER and UNIXPRIV class resource
    SUPERUSER.PROCESS.GETPSENT
  • UNIXPRIV class resources:
    SUPERUSER.PROCESS.GETPSENT
    SUPERUSER.FILESYS.VREGISTER

If the PAS user ID has BPX.SUPERUSER authority, it switches to UID=0 during startup.

If the PAS user ID has only the UNIXPRIV authorities, it switches to the default superuser ID (BPXROOT unless otherwise defined) when it requires superuser authority.

For more information, see Administering.

The following example shows how an OMVS segment might be defined for user USER1:

ADDUSER USER1
DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')
PROGRAM('/bin/sh')) NOPASSWORD

The NOPASSWORD option indicates that the user ID is a protected ID that cannot be used to enter the system by using a password or password phrase. The user ID is not revoked following invalid logon attempts.

Important

If the BPX.DAEMON FACILITY class profile is defined, the user ID needs READ access to security resource BPX.DAEMON, as follows:

PERMIT BPX.DAEMON CLASS(FACILITY) ID(USER1) ACCESS(READ)

The PAS requires daemon authority to switch user IDs when running UNIX actions.

If one of your loadlibs is not program controlled, you may get a JREnvDirty error message. You can check your PAS joblog to see if you're getting any ICH420I messages like the following:

ICH420I PROGRAM BBM9DACT FROM LIBRARY SYS1.BBI.BBLINK CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.

You can add the PROGRAM CONTROL status to the library containing BBM9DACT by using the following RACF commands:

RALTER PROGRAM * ADDMEM('SYS1.BBI.BBLINK'//NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH

Alternatively, you can also bypass the module access checking from USS for non-USS datasets (regular load libraries).

Though this approach reduces the security for these modules, access to the profile that allows this is controlled. It can be implemented as follows:

RDEFINE FACILITY BPX.DAEMON.HFSCTL UACC(NONE) OWNER(IBMUSER)
PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY) ID(pas_userid) ACCESS(READ)

Tip

For the purposes of keeping the environment clean, you do not need to worry about defining programs in the system link pack area (LPA, PLPA, FLPA, MLPA,dynamic LPA) because RACF always considers those programs controlled.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*