Using SURROGAT class to enable use of su command in USS



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Using SURROGAT class to enable use of su command in USS

Postby Blackthorn » Thu Jun 12, 2014 4:41 pm

I'm trying to su to a different user in USS. The manual says that you should use the -s flag to turn off password prompting, and as long as you have read access to the BPX.SRV.user profile in the SURROGAT class this should work. It doesn't though. Is there anything else that needs to be set anywhere?

I have run this command -

READY
RDEFINE SURROGAT BPX.SRV.OPS0047 UACC(NONE)
RACLISTED PROFILES FOR SURROGAT WILL NOT REFLECT THE ADDITION(S) UNTIL A SETROPT
READY
PERMIT BPX.SRV.OPS0047 CLASS(SURROGAT) ID(OPS0052) ACCESS(READ)
RACLISTED PROFILES FOR SURROGAT WILL NOT REFLECT THE UPDATE(S) UNTIL A SETROPTS
READY
SETROPTS RACLIST(SURROGAT) REFRESH
READY
END

but I'm still getting this -

OPS0052@PROD:/u/ops0052>$su -s ops0047
FSUM5027 su: User is not a surrogate of "ops0047".

Any ideas?

Thanks.
Blackthorn
 
Posts: 130
Joined: Tue Feb 01, 2011 7:12 pm
Has thanked: 1 time
Been thanked: 9 times

Re: Using SURROGAT class to enable use of su command in USS

Postby enrico-sorichetti » Thu Jun 12, 2014 5:04 pm

did You logoff/logon ???
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2994
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 164 times

Re: Using SURROGAT class to enable use of su command in USS

Postby Blackthorn » Thu Jun 12, 2014 5:14 pm

Hi Enrico,

I was initially connecting via ssh from another Unix server and I had disconnected and signed back in.

I have now tried logging out of TSO and back on and tried it in omvs, but I am still getting the same issue.

Thanks.
Blackthorn
 
Posts: 130
Joined: Tue Feb 01, 2011 7:12 pm
Has thanked: 1 time
Been thanked: 9 times

Re: Using SURROGAT class to enable use of su command in USS

Postby enrico-sorichetti » Thu Jun 12, 2014 5:32 pm

unfortunately I cannot be of more help ...
it works for me

IBMUSER:/u/ibmuser: >su -s enrico
FSUM5027 su: User is not a surrogate of "enrico".

after the commands
=> permit bpx.srv.enrico class(surrogat) id(ibmuser) access(read)
=> setr raclist(surrogat) refresh

IBMUSER:/u/ibmuser: >su -s enrico
IBMUSER:/u/ibmuser: >id
uid=1(ENRICO) gid=0(SYS1)
IBMUSER:/u/ibmuser: >


yess, the logoff/logon sequence is pretty murky
the above sequence went fine without logoff/logon

logoff/logon is usually to test with a clean environment
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2994
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 164 times

Re: Using SURROGAT class to enable use of su command in USS

Postby Blackthorn » Thu Jun 12, 2014 5:51 pm

Enrico, you're a star! I'm used to using su on AIX where the command prompt and home directory both change as soon as you switch user's -

root@p25n10e0:/ # su - ops0052     
ops0052@p25n10e0:/home/ops0052 $   


I hadn't realised that this was not the case in USS. Using the ID command confirms that I have in fact switched -

OPS0052@PROD:/u/ops0052>£id           
uid=1098(OPS0052) gid=11(OPSGROUP)     
OPS0052@PROD:/u/ops0052>£su -s ops0047
OPS0052@PROD:/u/ops0052>£id           
uid=1067(OPS0047) gid=11(OPSGROUP)     
OPS0052@PROD:/u/ops0052>£             


Previously the error was only occuring after I had issued the command the second time, i.e.; I had switched users and did not have authority to switch again from there. I should have twigged that the first command, whilst apparently not doing anything, was in fact working as expected.

Thanks ever so much for your help.
Blackthorn
 
Posts: 130
Joined: Tue Feb 01, 2011 7:12 pm
Has thanked: 1 time
Been thanked: 9 times

Re: Using SURROGAT class to enable use of su command in USS

Postby steve-myers » Thu Jun 12, 2014 6:42 pm

I presume SU is equivalent to SUBMIT, though from a USS file.

The intent of the RACF SURROGAT class is to permit user A to submit a job to run using user B's userid without specifying user B's password in the JOB statement.

For it to work,
  • The SURROGAT class must be enabled
  • An appropriate SURROGAT profile must be defined by a security administrator -

    RDEFINE SURROGAT B.SUBMIT UACC(NONE) OWNER(B)

    The OWNER allows user B to enter PERMIT commands for the resource.
  • User B (or the security administrator) enters a PERMIT command to allow user A to submit a job using user B's userid.

    PERMIT B.SUBMIT ACCESS(READ) ID(A) CLASS(SURROGAT)

See the chapter "Allowing Surrogate Job Submission" in Security Server RACF Security Administrator's Guide for your z/OS release.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Using SURROGAT class to enable use of su command in USS

Postby enrico-sorichetti » Thu Jun 12, 2014 7:19 pm

nope :D

in UNIXese
su -- Change the user ID associated with a session


with a wild guess for switch user
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2994
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 164 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post