Re: Not authorized to PASE for i program ... zfcgi

On 10-Jan-2016 19:54 -0700, Aaron Bartell wrote:

On 08-Jan-2016 17:02 -0700, CRPence wrote:

On 08-Jan-2016 15:36 -0700, Aaron Bartell wrote:

On 08-Jan-2016 15:23 -0700, CRPence wrote:
Sorry, here's the full error:
https://bitbucket.org/snippets/aaronbartell/q8Xgk

included reformatted for reference only:

5770SS1 V7R2M0 140418 Job Log LITMIS1 01/08/16 23:19:39 UTC Page 1
Job name: CODE01 User: QTMHHTTP Number: 165602
Job description: QZHBHTTP Library: QHTTPSVR
<<SNIP>>

<<SNIP>> I have a shell script named full_path_perms.sh** that
gives me the perms for each dir, as shown below.

$ ./full_path_perms.sh /QOpenSys/QIBM/ProdData/OS400/PASE/sbin/zfcgi
drwxrwsrwx 13 qsys 0 339968 Dec 21 21:41
/QOpenSys
<<SNIP>>

was that script run under that USRPRF or perhaps run under
another USRPRF?

It was profile AARON that issues STRTCPSVR, but I obtained the
error from WRKSPLF QTMHHTTP.

Best to run the script using USER(QTMHHTTP) given that is the
initial user for the <ed:> *conspicuously missing content*

Not sure what you mean and your sentence was cut off.

Best to run the script using USER(QTMHHTTP) given that is the initial user for the job(165602/QTMHHTTP/CODE01)

The STRTCPSVR command** doesn't have a USER option.
**
[http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/cl/strtcpsvr.htm]

The non-conventional /quoting/ that has been used in replying, have resulted in my attempts to reformat the content, perhaps compromising the connections. I have since re-inserted the reference to the /script/ to which I was referring, being the script that was run to show the authorities for the user running the script; a user I was presuming was a different user than the current user of the failing job.

Thus I was suggesting that having run the script under user AARON, for example, would not be appropriate to reveal the authorities to the user QTMHHTTP, for example; the script must be run using the same user that would run when the processing failed for lack of necessary authority.

Concerning audit journal for AF entries, I did find three of them
(they are all the same except the directory specified on line 00851).
Here's an example of one. Do you see something that gives more info
about the error?

Drilling into the docs from the first of the following to the third, finds the layout of that T-AF journal entry [although I did not recall, not giving offsets for the Entry Specific Data itself, but instead just for output to some of the possible output files]:

[http://www.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_71/rzarl/rzarlsecaudje.htm]
_Security auditing journal entries_

[http://www.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_71/rzarl/rzarllayout.htm#rzarllayout]
_Layout of audit journal entries_

[http://www.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_71/rzarl/rzarlf06.htm]
_AF (Authority Failure) journal entries_

Display Journal Entry

Object . . . . . . . : Library . . . . . . :
Member . . . . . . . :
Incomplete data . . : No Minimized entry data : *NONE
Sequence . . . . . . : 10382
Code . . . . . . . . : T - Audit trail entry
Type . . . . . . . . : AF - Authority failure

Entry specific data
Column *...+....1....+....2....+....3....+....4....+....5
00001 'A*N *N *DIR CODE01 QTMHHTTP '
00051 '168853 QTMHHTTP 0000'
00101 '000 '
00151 ' '
00201 ' '
00251 ' ºròÙ P '
00301 ' '
<<SNIP>>
00701 ' '
00751 ' '
00801 ' ºròÙ P QASP01 00001 USENU Y '
00851 ' /QOpenSys/usr/sbin '
00901 ' '
00951 ' '
01001 ' '

The changing path data at position 857 names the parent directory of, the Path Name of, the STMF File ID to which the user named QTMHHTTP [position 76] is not authorized. Because the File ID is binary data [as are other offsets of the presented data], other data other than the path could have changed [and likely did, given the path changed].