IBM Support

PH60792: WITH RACF AUDITING ENABLED, WHEN A PROCESS ENDS, RACF ERROR INSUFFICIENT AUTHORITY TO KILL RETURNED IN IBM EXPLORER FOR Z/OS

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • For an IBM Explorer for z/OS (or IBM Developer for z/OS)
connection, its action may require a user process creation.
When UNIXPRIV SUPERUSER.PROCESS.KILL profile is defined, the
clean-up of these processes may cause the ICH408I audit message.
This is due to the TERM signal which is sent in the cleanup is
owned by the ThreadPool user id, i.e the RSE started task user
id. The ICH408I message refers to the connection's user id
instead because it reports at the task level.
The same issue occurs with RSEAPI.

Local fix

  • When UNIXPRIV SUPERUSER.PROCESS.KILL profile is defined, grant
the profile read permission for RSE and RSEAPI started task user
id so that it can clean up the processes spawn by the user
threads the server process is hosting.

Problem summary

  • ****************************************************************
* USERS AFFECTED: 1. Security admin                            *
****************************************************************
* PROBLEM DESCRIPTION: 1. "INSUFFICIENT AUTHORITY TO KILL"     *
*                      security violation                      *
****************************************************************
1. When the RSED STC userid lacks permit to UNIXPRIV SUPERUSER.
PROCESS.KILL and SETROPTS LOGOPTIONS(FAILURES(PROCACT)) is in
effect, you can see security violations
ICH408I USER(enduser) GROUP(group) NAME(user connected via
client)
  CL(PROCACT )
  INSUFFICIENT AUTHORITY TO KILL
  EFFECTIVE UID(uid)  EFFECTIVE GID(gid)

Problem conclusion

  • 1. Provide sample commands to grant the required permit

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH60792
    • 

  • Reported component name
    EXP FOR Z/OS HO
    • 

  • Reported component ID
    5655EXP23
    • 

  • Reported release
    330
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-04-09
    • 

  • Closed date
    2024-06-06
    • 

  • Last modified date
    2024-07-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
FEKFCORE FEKFDBG  FEKFDBG6 FEKFDBGM FEKFDIR  FEKFDIR6 FEKFDIVP
FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR
FEKFENVS FEKFEPL  FEKFERRF FEKFGDGE FEKFICUL FEKFISPF FEKFIVP0
FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU
FEKFJLIC FEKFJSON FEKFJVM  FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP
FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMNTL FEKFNTCE
FEKFOMVS FEKFPATT FEKFPKCS FEKFPLUG FEKFPTC  FEKFRIVP FEKFRMSG
FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL  FEKFSTUP FEKFT000
FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008
FEKFTEAM FEKFTIVP FEKFTSO  FEKFUTIL FEKFVERS FEKFXITA FEKFXITL
FEKFZOS  FEKHCONF FEKHCUST FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN
FEKHISPF FEKHIVP  FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE
FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2
FEKINIT  FEKKEYS  FEKLOCKA FEKLOGR  FEKLOGS  FEKM00   FEKM01
FEKM02   FEKMKDIR FEKMOUNT FEKMSGC  FEKMSGS  FEKPKCS1 FEKRACF
FEKRSED  FEKSAPF  FEKSAPPL FEKSBPX  FEKSCLAS FEKSCLOG FEKSCMD
FEKSCPYM FEKSCPYU FEKSDSN  FEKSENV  FEKSETUP FEKSISPF FEKSJCFG
FEKSJCMD FEKSJMON FEKSJWT  FEKSJWTU FEKSLPA  FEKSPROG FEKSPTKT
FEKSRSED FEKSSERV FEKSSTC  FEKSSU   FEKSUSER FEKXCFGE FEKXCFGI
FEKXCFGM FEKXCFGT FEKXMAIN FEKXML   HUHFCOR6 HUHFCORE

    



Fix information


    

  • Fixed component name
    EXP FOR Z/OS HO
    • 

  • Fixed component ID
    5655EXP23
    • 



Applicable component levels


    

  • R330  PSY  UI97198
       UP24/06/15  P  F406
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"330","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 July 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback