Page 1 of 1

Unix Services W_GETIPC access

PostPosted: Mon Jul 12, 2010 4:59 pm
by Antonyraj85
Hi Friends,

We got the following error mesage in RACF

ICH408I USER(PRCOMS ) GROUP(PRCOMGRP) NAME(PARK RIDGE COMS )
01000F02 CL(IPCOBJ ) ID(0000000004)
INSUFFICIENT AUTHORITY TO W_GETIPC
ACCESS INTENT(R--) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000000950) EFFECTIVE GID(0000002100)

We know W_GETIPC is the Unix services. How we can provide the access for the services in the CLASS IPCOBJ. Please any one reply ma back.

Thanks in Advance


Antony.

Re: Unix Services W_GETIPC access

PostPosted: Mon Jul 12, 2010 11:27 pm
by dick scherrer
Hello,

You need to work with your security people to get the proper permission(s).

Re: Unix Services W_GETIPC access

PostPosted: Tue Jul 13, 2010 12:46 am
by Robert Sample
The message format implies there's a directory permissions error but I'm not sure how to track down which one is having the problem. You may need to contact IBM for assistance.

Re: Unix Services W_GETIPC access

PostPosted: Fri Jul 16, 2010 6:55 pm
by Antonyraj85
Hi Robert,

Direct permissions cover under the following classes DIRACC and DIRSRCH. But this one is the service. Can you please any one reply me back.

Regards,
Antony

Re: Unix Services W_GETIPC access

PostPosted: Sat Jul 17, 2010 12:32 am
by Robert Sample
I'm not a RACF expert by any means, but I suspect someone at your site issued the RACF command
SETROPTS MLIPCOBJ(ACTIVE)
However, I don't know how to get the required security label on your command. There's just not a lot in the manuals about RACF and IPC -- probably deliberately so.

Re: Unix Services W_GETIPC access

PostPosted: Fri Jul 23, 2010 2:50 am
by Antonyraj85
Hi,

Finally we got the solution for Unix Service Access - W_GETIPC

For the message
ICH408I USER(PRCOMS ) GROUP(PRCOMGRP) NAME(PARK RIDGE COMS )
01000F02 CL(IPCOBJ ) ID(0000000004)
INSUFFICIENT AUTHORITY TO W_GETIPC
ACCESS INTENT(R--) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000000950) EFFECTIVE GID(0000002100)

No profiles are allowed in a number of Unix related classes, such as
The following classes are defined only for auditing z/OS UNIX security
events and are not used for authorization checking:
~
o DIRACC
o DIRSRCH
o FSOBJ
o FSSEC
o IPCOBJ
o PROCACT
o PROCESS
~
No profiles can be defined in these classes. They are used to define the
auditing options for z/OS UNIX security events. The classes do not need
to be active to control auditing.
~
To prevent these messages (and related SMF records),
you can use SETR LOGOPTIONS NONE for IPCOBJ.
As you are dealing with IPCOBJ (in the above message), this is
about the only way, and here is the command.
SETR LOGOPTIONS(NEVER(IPCOBJ))
~
There is also a design change request, with development,
MR0923055952, that indicates:
'Currently, during IPC processing, numerous RACF violation messages
against the class IPCOBJ can get written to the system log. These
appear to be extraneous, since the user appears to get to the resources
they need. The only current way to avoid these messages is to turn off
logging completing for this class. This is unacceptable to auditors who
expect violation messages to record attempts at resources one is not
authorized to and since there appears to be no way to grant access to
the resources that are being indicated as being violated, this is also
extremely confusing.'
So some action may be taken, in the future, to change this. If you wish
I'd be happy to add you as an interested party to this DCR.

Re: Unix Services W_GETIPC access

PostPosted: Fri Jul 23, 2010 3:16 am
by Robert Sample
Thanks for the reply! At least I know I wasn't having a hard time because I was slipping -- there really is not a whole lot in the manuals about it!