Unix Services W_GETIPC access



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Unix Services W_GETIPC access

Postby Antonyraj85 » Mon Jul 12, 2010 4:59 pm

Hi Friends,

We got the following error mesage in RACF

ICH408I USER(PRCOMS ) GROUP(PRCOMGRP) NAME(PARK RIDGE COMS )
01000F02 CL(IPCOBJ ) ID(0000000004)
INSUFFICIENT AUTHORITY TO W_GETIPC
ACCESS INTENT(R--) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000000950) EFFECTIVE GID(0000002100)

We know W_GETIPC is the Unix services. How we can provide the access for the services in the CLASS IPCOBJ. Please any one reply ma back.

Thanks in Advance


Antony.
Antonyraj85
 
Posts: 79
Joined: Mon Jun 14, 2010 9:51 am
Has thanked: 0 time
Been thanked: 0 time

Re: Unix Services W_GETIPC access

 

Re: Unix Services W_GETIPC access

Postby dick scherrer » Mon Jul 12, 2010 11:27 pm

Hello,

You need to work with your security people to get the proper permission(s).
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6304
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 91 times

Re: Unix Services W_GETIPC access

Postby Robert Sample » Tue Jul 13, 2010 12:46 am

The message format implies there's a directory permissions error but I'm not sure how to track down which one is having the problem. You may need to contact IBM for assistance.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times

Re: Unix Services W_GETIPC access

Postby Antonyraj85 » Fri Jul 16, 2010 6:55 pm

Hi Robert,

Direct permissions cover under the following classes DIRACC and DIRSRCH. But this one is the service. Can you please any one reply me back.

Regards,
Antony
Antonyraj85
 
Posts: 79
Joined: Mon Jun 14, 2010 9:51 am
Has thanked: 0 time
Been thanked: 0 time

Re: Unix Services W_GETIPC access

Postby Robert Sample » Sat Jul 17, 2010 12:32 am

I'm not a RACF expert by any means, but I suspect someone at your site issued the RACF command
SETROPTS MLIPCOBJ(ACTIVE)
However, I don't know how to get the required security label on your command. There's just not a lot in the manuals about RACF and IPC -- probably deliberately so.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times

Re: Unix Services W_GETIPC access

Postby Antonyraj85 » Fri Jul 23, 2010 2:50 am

Hi,

Finally we got the solution for Unix Service Access - W_GETIPC

For the message
ICH408I USER(PRCOMS ) GROUP(PRCOMGRP) NAME(PARK RIDGE COMS )
01000F02 CL(IPCOBJ ) ID(0000000004)
INSUFFICIENT AUTHORITY TO W_GETIPC
ACCESS INTENT(R--) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000000950) EFFECTIVE GID(0000002100)

No profiles are allowed in a number of Unix related classes, such as
The following classes are defined only for auditing z/OS UNIX security
events and are not used for authorization checking:
~
o DIRACC
o DIRSRCH
o FSOBJ
o FSSEC
o IPCOBJ
o PROCACT
o PROCESS
~
No profiles can be defined in these classes. They are used to define the
auditing options for z/OS UNIX security events. The classes do not need
to be active to control auditing.
~
To prevent these messages (and related SMF records),
you can use SETR LOGOPTIONS NONE for IPCOBJ.
As you are dealing with IPCOBJ (in the above message), this is
about the only way, and here is the command.
SETR LOGOPTIONS(NEVER(IPCOBJ))
~
There is also a design change request, with development,
MR0923055952, that indicates:
'Currently, during IPC processing, numerous RACF violation messages
against the class IPCOBJ can get written to the system log. These
appear to be extraneous, since the user appears to get to the resources
they need. The only current way to avoid these messages is to turn off
logging completing for this class. This is unacceptable to auditors who
expect violation messages to record attempts at resources one is not
authorized to and since there appears to be no way to grant access to
the resources that are being indicated as being violated, this is also
extremely confusing.'
So some action may be taken, in the future, to change this. If you wish
I'd be happy to add you as an interested party to this DCR.
Antonyraj85
 
Posts: 79
Joined: Mon Jun 14, 2010 9:51 am
Has thanked: 0 time
Been thanked: 0 time

Re: Unix Services W_GETIPC access

Postby Robert Sample » Fri Jul 23, 2010 3:16 am

Thanks for the reply! At least I know I wasn't having a hard time because I was slipping -- there really is not a whole lot in the manuals about it!
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post