Page 1 of 1

How to find the root user in the specific USS?

PostPosted: Tue Nov 01, 2011 8:15 am
by st8676746
I am just a beginner learning the IBM Mainframe.
And when I am searching for some infomation in the z/os information center,
I find it says that
"z/os is different from Unix. There does not exist a single root password or root user. User IDs are external to z/OS UNIX System Services."

Therefore, I am very confused that how I can find the user who has full authority in the specific USS ?
For example, if I want to find the user that has full authority in HFS, how could I do ?
I try to type "/Display OMVS, O" in sdsf, but just find out a superuser called BTXROOT. I don't think it is right.

Could you please help me ?
Thank you very much!

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 01, 2011 1:18 pm
by BillyBoyo
Why don't you "ask around". Someone knows the person or persons who has these tasks. You can then chat to those people. They can explain to you (or assign someone to do so) how it works. Don't expect them to give you user-ids or passwords that they have - they're not stupid :-)

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 01, 2011 2:53 pm
by st8676746
BillyBoyo wrote:Why don't you "ask around". Someone knows the person or persons who has these tasks. You can then chat to those people. They can explain to you (or assign someone to do so) how it works. Don't expect them to give you user-ids or passwords that they have - they're not stupid :-)



Thanks for your reply.

You may just misunderstand me. I don't want to get any one's password.

Like in Linux or Windows, we can easily view all the users in our PC, and we can also know whether they are administrator or not.
That's what I want to see.
For the program that I am working for, I need to view the root users in a specific USS(as I mentioned above, the HFS), in order to design a suitable program(in my program, those users will be called VIPs).

As I think, in the spsf we can use /DISPLAY OMVS, to view all the jobs and users in HFS. But, does there exist a way to find out the root user among those user ?
PS. Because my program need to work for different USS in our school, just ask the persons around me for user-id make no sence (I need to work for any user-id if they are root users).

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 01, 2011 4:31 pm
by Robert Sample
What you are wanting to do cannot easily be accomplished on a z/OS system. SUPERUSER is defined by the BPXPRMxx member during the IPL, and may have little relationship to the defined root user(s). Broadly speaking, any user id with a UID in Unix System Services (USS) of zero is a root user. However, since USS security functions on a z/OS system are handled by the system security package (RACF, ACF/2, TOP SECRET) it is not an easy task to identify which user ids have this authority.

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 01, 2011 8:30 pm
by jaggz
You can issue : SEARCH CLASS(USER) UID(0) from ISPF Option 6 to see the number of ROOT user specific to USS.

Re: How to find the root user in the specific USS?

PostPosted: Thu Nov 03, 2011 10:48 am
by st8676746
Thanks for Robert's and jaggz's replies !

Due to our RACF's options, application identity mapping is diabled.
So I cannot use the command that jaggz recommended. Thanks all the time.

I am still very confused.
If we enter "/d OMVS, A=ALL" in the sdsf, we can see lots of user names.
But, in the sdsf, doesn't there exist a way to see the UIDs of these users ?

Thank you.

Re: How to find the root user in the specific USS?

PostPosted: Thu Nov 03, 2011 6:50 pm
by Robert Sample
But, in the sdsf, doesn't there exist a way to see the UIDs of these users ?
No. I searched the z/OS System Commands manual (SA22-7628) for version 1.12 and there's no command listed that will provide ANY uid on the console. You might be able to get this data by talking to your site security group; if they cannot help you get it, then you cannot retrieve it, period. Most likely, their assistance will depend upon site security policies and the business reason you have for needing this data.

And be aware that, unlike the operating systems your post refers to, z/OS (MVS) has been around for well over 40 years and security is well-developed on the operating system. Things that you may be able to do on the other operating systems may well turn out not to be possible on z/OS. The /etc/passwd mechanism for Unix authorization, for example, has never been supported on z/OS -- RACF (or the alternate security packages) handles Unix System Services security instead.

Re: How to find the root user in the specific USS?

PostPosted: Fri Nov 04, 2011 5:46 am
by steve-myers
There is the FACILITY/BPX.SUPERUSER RACF profile. Any user with the RACF SPECIAL user attribute can use the RLIST command to list the users with this profile. However, very few users have the SPECIAL attribute, and you are not likely to have this attribute.

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 08, 2011 10:22 pm
by st8676746
Robert Sample wrote:SUPERUSER is defined by the BPXPRMxx member during the IPL, and may have little relationship to the defined root user(s).


Sorry for disturbing you again.

Could you tell me the difference between the superuser(for example, BPXROOT) and the defined root user(s) ?
I am rather confused.

Thanks very much.

Re: How to find the root user in the specific USS?

PostPosted: Tue Nov 08, 2011 10:57 pm
by Robert Sample
It's no bother -- at least you're thinking about things before asking your questions!

From the MVS Initialization and Tuning Reference manual:
SUPERUSER(user_name)
Superuser name, which must conform to the restrictions for the z/OS user ID. The user name must also be defined to RACF (or another security product) and must have a z/OS UNIX user ID (UID) of 0. For example, in RACF, specify OMVS(UID(0)) on the ADDUSER command.

When a daemon issues a setuid() to set a UID to 0 and the user ID is not known, setuid() uses the user ID from the SUPERUSER statement.

Never permit the userid BPXROOT to the BPX.DAEMON profile (described in "Setting Up the BPX.* FACILITY Class Profiles" in z/OS UNIX System Services Planning). This warning applies even if you use a name other than BPXROOT.

Value Range: user_name is a 1 to 8 character value.

Default: BPXROOT

Use the SETOMVS or SET OMVS command to dynamically change the value of SUPERUSER. To make a permanent change, edit the BPXPRMxx member that is used for IPLs.
Realistically, there's not really much difference between the SUPERUSER parameter and a root user that has uid of zero. The parameter is used for daemons while root users are not.