How to find the root user in the specific USS?



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

How to find the root user in the specific USS?

Postby st8676746 » Tue Nov 01, 2011 8:15 am

I am just a beginner learning the IBM Mainframe.
And when I am searching for some infomation in the z/os information center,
I find it says that
"z/os is different from Unix. There does not exist a single root password or root user. User IDs are external to z/OS UNIX System Services."

Therefore, I am very confused that how I can find the user who has full authority in the specific USS ?
For example, if I want to find the user that has full authority in HFS, how could I do ?
I try to type "/Display OMVS, O" in sdsf, but just find out a superuser called BTXROOT. I don't think it is right.

Could you please help me ?
Thank you very much!
st8676746
 
Posts: 6
Joined: Tue Nov 01, 2011 7:58 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to find the root user in the specific USS?

 

Re: How to find the root user in the specific USS?

Postby BillyBoyo » Tue Nov 01, 2011 1:18 pm

Why don't you "ask around". Someone knows the person or persons who has these tasks. You can then chat to those people. They can explain to you (or assign someone to do so) how it works. Don't expect them to give you user-ids or passwords that they have - they're not stupid :-)
BillyBoyo
Global moderator
 
Posts: 3804
Joined: Tue Jan 25, 2011 12:02 am
Has thanked: 22 times
Been thanked: 264 times

Re: How to find the root user in the specific USS?

Postby st8676746 » Tue Nov 01, 2011 2:53 pm

BillyBoyo wrote:Why don't you "ask around". Someone knows the person or persons who has these tasks. You can then chat to those people. They can explain to you (or assign someone to do so) how it works. Don't expect them to give you user-ids or passwords that they have - they're not stupid :-)



Thanks for your reply.

You may just misunderstand me. I don't want to get any one's password.

Like in Linux or Windows, we can easily view all the users in our PC, and we can also know whether they are administrator or not.
That's what I want to see.
For the program that I am working for, I need to view the root users in a specific USS(as I mentioned above, the HFS), in order to design a suitable program(in my program, those users will be called VIPs).

As I think, in the spsf we can use /DISPLAY OMVS, to view all the jobs and users in HFS. But, does there exist a way to find out the root user among those user ?
PS. Because my program need to work for different USS in our school, just ask the persons around me for user-id make no sence (I need to work for any user-id if they are root users).
st8676746
 
Posts: 6
Joined: Tue Nov 01, 2011 7:58 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to find the root user in the specific USS?

Postby Robert Sample » Tue Nov 01, 2011 4:31 pm

What you are wanting to do cannot easily be accomplished on a z/OS system. SUPERUSER is defined by the BPXPRMxx member during the IPL, and may have little relationship to the defined root user(s). Broadly speaking, any user id with a UID in Unix System Services (USS) of zero is a root user. However, since USS security functions on a z/OS system are handled by the system security package (RACF, ACF/2, TOP SECRET) it is not an easy task to identify which user ids have this authority.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times

Re: How to find the root user in the specific USS?

Postby jaggz » Tue Nov 01, 2011 8:30 pm

You can issue : SEARCH CLASS(USER) UID(0) from ISPF Option 6 to see the number of ROOT user specific to USS.
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 4 times

Re: How to find the root user in the specific USS?

Postby st8676746 » Thu Nov 03, 2011 10:48 am

Thanks for Robert's and jaggz's replies !

Due to our RACF's options, application identity mapping is diabled.
So I cannot use the command that jaggz recommended. Thanks all the time.

I am still very confused.
If we enter "/d OMVS, A=ALL" in the sdsf, we can see lots of user names.
But, in the sdsf, doesn't there exist a way to see the UIDs of these users ?

Thank you.
st8676746
 
Posts: 6
Joined: Tue Nov 01, 2011 7:58 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to find the root user in the specific USS?

Postby Robert Sample » Thu Nov 03, 2011 6:50 pm

But, in the sdsf, doesn't there exist a way to see the UIDs of these users ?
No. I searched the z/OS System Commands manual (SA22-7628) for version 1.12 and there's no command listed that will provide ANY uid on the console. You might be able to get this data by talking to your site security group; if they cannot help you get it, then you cannot retrieve it, period. Most likely, their assistance will depend upon site security policies and the business reason you have for needing this data.

And be aware that, unlike the operating systems your post refers to, z/OS (MVS) has been around for well over 40 years and security is well-developed on the operating system. Things that you may be able to do on the other operating systems may well turn out not to be possible on z/OS. The /etc/passwd mechanism for Unix authorization, for example, has never been supported on z/OS -- RACF (or the alternate security packages) handles Unix System Services security instead.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times

Re: How to find the root user in the specific USS?

Postby steve-myers » Fri Nov 04, 2011 5:46 am

There is the FACILITY/BPX.SUPERUSER RACF profile. Any user with the RACF SPECIAL user attribute can use the RLIST command to list the users with this profile. However, very few users have the SPECIAL attribute, and you are not likely to have this attribute.
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: How to find the root user in the specific USS?

Postby st8676746 » Tue Nov 08, 2011 10:22 pm

Robert Sample wrote:SUPERUSER is defined by the BPXPRMxx member during the IPL, and may have little relationship to the defined root user(s).


Sorry for disturbing you again.

Could you tell me the difference between the superuser(for example, BPXROOT) and the defined root user(s) ?
I am rather confused.

Thanks very much.
st8676746
 
Posts: 6
Joined: Tue Nov 01, 2011 7:58 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to find the root user in the specific USS?

Postby Robert Sample » Tue Nov 08, 2011 10:57 pm

It's no bother -- at least you're thinking about things before asking your questions!

From the MVS Initialization and Tuning Reference manual:
SUPERUSER(user_name)
Superuser name, which must conform to the restrictions for the z/OS user ID. The user name must also be defined to RACF (or another security product) and must have a z/OS UNIX user ID (UID) of 0. For example, in RACF, specify OMVS(UID(0)) on the ADDUSER command.

When a daemon issues a setuid() to set a UID to 0 and the user ID is not known, setuid() uses the user ID from the SUPERUSER statement.

Never permit the userid BPXROOT to the BPX.DAEMON profile (described in "Setting Up the BPX.* FACILITY Class Profiles" in z/OS UNIX System Services Planning). This warning applies even if you use a name other than BPXROOT.

Value Range: user_name is a 1 to 8 character value.

Default: BPXROOT

Use the SETOMVS or SET OMVS command to dynamically change the value of SUPERUSER. To make a permanent change, edit the BPXPRMxx member that is used for IPLs.
Realistically, there's not really much difference between the SUPERUSER parameter and a root user that has uid of zero. The parameter is used for daemons while root users are not.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post