ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Use profile handler to swtich to profile with user class *USER not able to run QSH

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Use profile handler to swtich to profile with user class *USER not able to run QSH

    Hi,

    I am facing on a problem, see below PGM:

    PGM
    DCL VAR(&QSHCMD) TYPE(*CHAR) LEN(512)
    DCL VAR(&CURRHNDL) TYPE(*CHAR) LEN(12)
    DCL VAR(&PGHNDL) TYPE(*CHAR) LEN(12)

    CALL QSYGETPH ('*CURRENT' '*NOPWD' &CURRHNDL)
    CALL QSYGETPH ('TESTUSR' '*NOPWD' &PGHNDL)
    CALL QWTSETP (&PGHNDL)

    CHGVAR VAR(&QSHCMD) VALUE('cd /home/')

    QSH CMD(&QSHCMD)

    CALL QWTSETP (&CURRHNDL)


    ENDPGM

    Getting below issue:
    qsh: 001-0011 Error found getting current working directory. Permission denied.


    The usr profile TESTUSR is *USER, without group profile setup and special auth setup.
    I suspect it should be the system security policy issue, but I donot know which system value controls this.


    Will appreciate your help!

    Thanks
    Boyka
    Tags: None
  • #2
    I guess the first question is what are the authorities on /home?

    P.S. Saying a profile is of class *USER is of little use. The authority will vary depending on your systems security level. And of course a profiles authority can be changed although you've indicated it hasn't been. I'm assuming it has no special authorities as it's unlikely you would be at a very low security level but we can only guess. Advising of a users special authorities (I'd assume *NONE) is more helpful.

    Comment

    • BoykaZhu
      #2.1
      BoykaZhu commented
      July 5, 2021, 08:31 PM
      Editing a comment
      John, Thanks for your reply.

      Auth on the /home is :

      Work with Authority

      Object . . . . . . . . . . . . : /home
      Type . . . . . . . . . . . . . : DIR
      Owner . . . . . . . . . . . . : QSYS
      Primary group . . . . . . . . : *NONE
      Authorization list . . . . . . : *NONE

      Type options, press Enter.
      1=Add user 2=Change user authority 4=Remove user

      Data --Object Authorities--
      Opt User Authority Exist Mgt Alter Ref

      *PUBLIC *RWX X X X X
      QSYS *RWX X X X X


      Meanwhile, the system security level on the host is 40.

      Display System Value

      System value . . . . . : QSECURITY
      Description . . . . . : System security level


      System security level . . . : 40 10=Physical security only (no longer
      supported)
      20=Password security only
      30=Password and object security
      40=Password, object, and operating
      system integrity
      50=Password, object, and enhanced
      operating system integrity


      The case is when I use the TESTUSR login green screen and then QSH, the command like "cd /home" works fine.
      The problem only appears when I using it via handler (QSYGETPH and QWTSETP).

      Confusing...
  • #3
    I think the problem is with getting the current working directory (not with changing to /home). The user running this CL program, originally, had their current directory set to a location that TESTUSR doesn't have authority to, so QShell is unable to start (and never gets to the point where it can run cd /home)

    I would try something like this:
    Code:
    PGM
   DCL VAR(&QSHCMD) TYPE(*CHAR) LEN(512)
   DCL VAR(&CURRHNDL) TYPE(*CHAR) LEN(12)
   DCL VAR(&PGHNDL) TYPE(*CHAR) LEN(12)

   CHGCURDIR DIR('/home')

   CALL QSYGETPH ('*CURRENT' '*NOPWD' &CURRHNDL)
   CALL QSYGETPH ('TESTUSR' '*NOPWD' &PGHNDL)
   CALL QWTSETP (&PGHNDL)

   CHGVAR VAR(&QSHCMD) VALUE('whatever qshell command')

   QSH CMD(&QSHCMD)

   CALL QWTSETP (&CURRHNDL)

ENDPGM

    Comment

    • BoykaZhu
      #3.1
      BoykaZhu commented
      July 6, 2021, 11:40 PM
      Editing a comment
      Hi Scott,

      You are right, try whatever qshell command will get same issue indicates "qsh: 001-0011 Error found getting current working directory. Permission denied."
  • #4
    If it's still an issue after trying Scott's suggestion, I would suggest looking at the audit journals to find out more information on the authorisation failure (assuming you have AF auditing turned on).

    Comment

    • BoykaZhu
      #4.1
      BoykaZhu commented
      July 6, 2021, 11:56 PM
      Editing a comment
      Hi John,

      Yes, try any qsh command in my cl pgm has the same issue.
      I am trying to get the system value of QAUDCTL and QAUDLVL.


      Display System Value

      System value . . . . . : QAUDCTL
      Description . . . . . : Auditing control


      Auditing
      control
      *OBJAUD
      *AUDLVL
      *NOQTEMP


      Display System Value

      System value . . . . . : QAUDLVL
      Description . . . . . : Security auditing level


      Auditing Auditing
      options options
      *CREATE
      *DELETE
      *OBJMGT
      *SAVRST
      *SECURITY
      *SPLFDTA
      *PRTDTA


      Current Security Auditing Values

      Security Auditing Journal Values

      Security journal QAUDJRN exists . . . . . : YES

      Journal receiver attached to QAUDJRN . . : QAUDJR0034
      Library . . . . . . . . . . . . . . . . : QSYS

      Security Auditing System Values

      Current QAUDCTL system value . . . . . . : *OBJAUD *AUDLVL *NOQTEMP

      Current QAUDLVL system value . . . . . . : *CREATE *DELETE *OBJMGT
      *SAVRST *SECURITY *SPLFDTA
      *PRTDTA

      Current QAUDLVL2 system value . . . . . . : *NONE




      Will these impact the "current working directory" permission?
  • #5
    This won't impact any permissions, auditing is a way for the system to record various events on the system. As you have *SECURITY auditing set, the system will log any authorisation failures amongst other things in the audit journals. You can display these using the DSPJRN command such as:

    DSPJRN JRN(QAUDJRN) FROMTIME(<start date> <start time>) JRNCDE((T)) ENTTYP(AF)

    If you are looking at older entries, you may need to also specify RCVRNG(*CURCHAIN) otherwise the command will only look at the currently attached journal receiver.
    This will display the journal entries for all authorisation failures (that's the AF ENTTYPE) from the start date/time. If you look at the entries for the job concerned you should be able to see the details on the user ID that caused the failure along with the object it's not authorised to.

    Comment

    • BoykaZhu
      #5.1
      BoykaZhu commented
      July 8, 2021, 09:42 PM
      Editing a comment
      Tried to fetch the JRN entries, with date range or RCVRNG, but could not get any entries returned.
      I began to do this verification since from last week, so if this is really the cause, it should have the auth failure history... so it is strange. (-_-)

      Back to the issue, it shows something about the "current work dir" permission...
      I checked the user current dir with DSPCURDIR,

      Directory . . . . . . : /home/testusr

      Work with Authority

      Object . . . . . . . . . . . . : /home/TESTUSR
      Type . . . . . . . . . . . . . : DIR
      Owner . . . . . . . . . . . . : TESTUSR
      Primary group . . . . . . . . : *NONE
      Authorization list . . . . . . : *NONE

      Type options, press Enter.
      1=Add user 2=Change user authority 4=Remove user

      Data --Object Authorities--
      Opt User Authority Exist Mgt Alter Ref

      *PUBLIC *RWX X X X X
      TESTUSR *RWX X X X X

      Do you know the difference between "Login the user directly" and "Switch via handler QSYGETPH/QWTSETP "?
  • #6
    We finally have this resolved.

    I think Scott Klement​ gave the correct direction.
    After back to check the caller home directory, for example, my caller name is OPTMGR.
    I noticed /home/OPTMGR is 700, after changing it to 755, the issue then get resolved.

    Rock!

    Comment

    • #7
      So you are giving the group and public read and execute access to your user's directory. Are you certain you want to do that? I gave an alternate suggestion (that doesn't require altering the permissions on the user's directory) together with sample code on how to make it work, above. (2 years ago!)

      Comment

      • #8
        Originally posted by Scott Klement View Post
        So you are giving the group and public read and execute access to your user's directory. Are you certain you want to do that? I gave an alternate suggestion (that doesn't require altering the permissions on the user's directory) together with sample code on how to make it work, above. (2 years ago!)
        Hi Scott,

        To resolve the folder permission is the workaround to fix the issue for the old version of the code.
        In the new version of code, we use CHGCURDIR to cover it.

        Comment

        Previous template Next
        Working...
        X