Strange that MAINT cannot issue SET PRIVCLASS
SET PRIVCLASS DIRMAINT +A
Privilege classes for user DIRMAINT
Currently: ABDG
Directory: BDG
The privilege classes are not locked against changes.
Ready; T=0.01/0.01 08:16:28
Maybe someone changed the command classes to place PRIVCLASS in a special
class. Try
Q COMMAND SET
and look what it tells about PRIVCLASS. I get this
PRIVCLASS IBMCLASS=C,ANY
I my eyes, MAINT should be permitted to all commands, hence have all CP
classes.
2009/5/28 Yoon-suk Cho <isem...@gmail.com>
> Thanks for your help. I re-defined the 123 minidisk to maint and then
> fix the Dirmaint in successfully.
>
>
> First, I tried to put the PRIVCLASS to DIRMAINT user by maint. It was
> not available , however, option as following errors.
>
>
> SET PRIVCLASS DIRMAINT +A
> Invalid option - PRIVCLASS
>
>
> Maint need the 123 minidisk (540RES) and dirmaint refer to the disk to
> update dictory.
> So, I put the DEVMAINT function(?) to MAINT.
>
> SETVMDBK MAINT DEVMAINT
>
> and issue command 'CP DEFINE MDISK 123 0 END 540RES' . it was
> successfully defined.
>
> after that, I need more time to fix dirmaint. It was not difficult job.
>
>
> really thanks again.
>
>
>
>
>
>
>
>
> On Wed, May 27, 2009 at 6:23 PM, Kris Buelens <kris.buel...@gmail.com>
> wrote:
> > I just tested an easy bypass. I've got an SETVMDBK EXEC that allows a
> > privileged user to zap certain bits in the VMDBK of logged on users.
> > This SETVMDBK has proven to work surely up to z/VM 5.4.
> >
> > From MAINT:
> > - XAUTOLOG DIRMAINT
> > - SET PRIVCLASS DIRAMINT +A (if it hasn't class A already)
> > - SETVMDBK DIRMAINT DEVMAINT
> > - DIRM CP DEFINE MDISK 123 0 END 540RES
> > Et voila.... I'll send SETVMDBK is a separate email (a bit too long
> > to imbed here)
> >
> > 2009/5/27 Yoon-suk Cho <isem...@gmail.com>
> >>
> >> I try to 'DEFINE MDISK as 123 0 END 540RES' by maint. but I got a
> >> error msg like this.
> >>
> >>
> >> define mdisk as 123 0 end 540res
> >> HCPDEF003E Invalid option - MDISK
> >> Ready(00003); T=0.01/0.01 16:13:41
> >>
> >> It was successfully defined by lglopr user.
> >> and , I tried shutting down dirmaint and logging off MAINT, the
> >> restart dirmaint user.
> >> But. Same problem exist. I think really dirmaint need 123 minidisk of
> maint.
> >>
> >> How about this way?
> >>
> >> - disable the dirmaint
> >> - make user backup file
> >> - edit the 'USER DIRECT C' under 2C2 disk to 'MDISK 0123 3390 000 END
> 540RES MR'
> >> - issue command 'DIRECTXA USER DIRECT C'
> >> - fix the dirmaint config file for maint.
> >> - conversion 'USER DIRECT C' file to use the dirmaint.
> >>
> >>
> >> we need attach the 123 disk to maint. so we are using the DIRECTXA
> >> command first.
> >> and then conversion 'USER DIRECT C' file to use dirmaint.
> >>
> >> Do you known that way in detail?
> >>
> >>
> >>
> >>
> >> On Wed, May 27, 2009 at 5:46 PM, Rob van der Heij <rvdh...@gmail.com>
> wrote:
> >> > On Wed, May 27, 2009 at 10:35 AM, Jonathan R Nolting
> >> > <jrnol...@us.ibm.com> wrote:
> >> >> From MAINT issue:
> >> >>
> >> >> CP Q V 123
> >> >> Dirm cp q v 123
> >> >>
> >> >> And provide results.
> >> >>
> >> >> Have you tried shutting down Dirmaint and logging off MAINT. Then
> restart DIRMAINT?
> >> >
> >> > If MAINT still had the 123 and it is not in the online directory
> >> > anymore, then logging off is not a wise approach. But you can get that
> >> > back.
> >> > Normally MAINT has the DEVMAINT option, so you should be able to issue
> >> > the DEFINE MDISK to get the 0123 full pack linked. Then get the
> >> > yesterday's user backup from DIRMAINT and use MAINT to bring that
> >> > online. This will give you a MAINT 123 again that DIRMAINT can link.
> >> >
> >> > Rob
> >> >
> >
> >
> >
> > --
> > Kris Buelens,
> > IBM Belgium, VM customer support
> >
>
--
Kris Buelens,
IBM Belgium, VM customer support
