ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ V6 Explorer Security Issues

Post new topic  Reply to topic Goto page Previous  1, 2
 MQ V6 Explorer Security Issues « View previous topic :: View next topic » 
Author Message
pfarrel
PostPosted: Fri Mar 24, 2006 10:29 am    Post subject: Reply with quote

Centurion

Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
Yes, I have done that too.
I have also tried it on a UNIX box in AIX, with a local ID there, by granting permissions to the primary group.
It works the same there too.
Displaying the list of queues is a problem, and the user can start a channel when he shouldn't be able to do so. Same on AIX as Windows.
Back to top
View user's profile Send private message
msantos007
PostPosted: Fri Mar 24, 2006 12:16 pm    Post subject: Reply with quote

Voyager

Joined: 20 Dec 2004
Posts: 78
i think i know what the problem is
setmqaut -m QMGR1 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p user1 +get +browse +inq +put

you´re able to put msgs to this queue, a start channel is a message put into this queue so the commandserver will process the message no matter who posted it
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer
Back to top
View user's profile Send private message MSN Messenger
wschutz
PostPosted: Fri Mar 24, 2006 12:38 pm    Post subject: Reply with quote

Jedi Knight

Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
msantos007 wrote:
i think i know what the problem is
setmqaut -m QMGR1 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p user1 +get +browse +inq +put
you´re able to put msgs to this queue, a start channel is a message put into this queue so the commandserver will process the message no matter who posted it

No, in V6, channels are qmgr objects (just like queues) and are controlled via OAM. From the manual:
Quote:
There are two new object authorities relevant to channel objects; control (ctrl) and control extended (ctrlx). You must have the appropriate authority in order to start, stop, ping, resolve and reset channels.


pfarrel; the channels you are trying to control are V6 channels, correct?
_________________
-wayne
Back to top
View user's profile Send private message Send e-mail AIM Address
Nigelg
PostPosted: Sun Mar 26, 2006 10:58 pm    Post subject: Reply with quote

Grand Master

Joined: 02 Aug 2004
Posts: 1046
The setmqaut command above to allow +dsp authority to all queues does not allow authority to SYSTEM.AUTH.DATA.QUEUE. This queue has an explicit hard-coded check for mqm authority in the qmgr, and so the setmqaut command does not affect it.
The PCF command from Explorer has to succeed for all objects, so since it fails for the auth queue, the whole command fails and no queues are displayed. This is not a bug; it is the same in v5.3, you have to be in the mqm group to list all queues.
Use the filter option to list the queues without the auth queue.

I don't know about being able to start channels without +ctrl auth.
_________________
MQSeries.net helps those who help themselves..
Back to top
View user's profile Send private message
pfarrel
PostPosted: Mon Mar 27, 2006 7:20 am    Post subject: Reply with quote

Centurion

Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
A further update.
Yes, all my testing is with V6 queue managers.

I have discovered that what Nigelg says appears to be true. If you try to use the setmqaut to assign permissions on the SYSTEM.AUTH.DATA.QUEUE then it simply doesn't work. It is annoying that when you issue the command setmqaut to this queue, the systems responds with the message:
The setmqaut command completed successfully.
Even though it does not do what you have requested.
The following queues seem to be somehow special in so much as you don't seem to be able to assign +dsp for a general non-mqm user:
SYSTEM.AUTH.DATA.QUEUE
SYSTEM.ADMIN.COMMAND.QUEUE
SYSTEM.DEFAULT.LOCAL.QUEUE
and on an AIX system, there is one more special queue:
SYSTEM.DEFAULT.MODEL.QUEUE
You have to filter these queues out if you want to display queues and you are not in the mqm group.

Regarding starting a channel when you are not in the mqm group, IBM has now responded that this appears to be a bug. They have been able to recreate it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » General IBM MQ Support » MQ V6 Explorer Security Issues
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.