| Author |
Message
|
| mqlover |
 Posted: Wed May 14, 2014 6:32 pm Post subject: runmqsc command without acess for start and stop in unix |
 |
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
Hi,
I have created a user id in Unix which has access only to do dspmq and execute the runmqsc command.
Now I have a requirement that the user id should do execute only display command and not start and stop of channels.
Not define channels too.
Kindly could anyone help as to how to achieve this?
Thanks in advance |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed May 14, 2014 7:35 pm Post subject: Re: runmqsc command without acess for start and stop in unix |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
| mqlover wrote: |
Hi,
I have created a user id in Unix which has access only to do dspmq and execute the runmqsc command. |
How exactly did you create this userid? What group?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqlover |
| Posted: Wed May 14, 2014 7:38 pm Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
Hi,
This user id was created by a security team on AIX. The user id belongs to group mqbrkrs (which mqbroker group). This group also has access to perform MQ and WMB operations.
Thanks |
|
| Back to top |
|
|
| mqlover |
| Posted: Thu May 15, 2014 12:26 am Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
| Sorry, my bad, this user id does not belong to any group. I meant niether of MQ or WMB group. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu May 15, 2014 4:13 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
So, the user id isn't a member of any group? And there are auth rules for this user id?
Does the user id have UID=0 (root)? Can the user id issue root UNIX commands - like shutdown?
Was the user id a member of mqm or broker group previously?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 15, 2014 7:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Don't worry about restricting access to the commands.
Set up a userid that is not in the mqm group, but is a member of another group.
Grant that other group display access to the various MQ objects you want to be able to display, using setmqaut commands.
It will also need connect authority to the queue manager.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| mqlover |
| Posted: Wed May 21, 2014 7:52 pm Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
I got an userid created which is a non mqm user id i.e it does not have any mq previlages.
I got it included into the sudoers file as I was not able to perform
runmqsc <qmgrname>
Now I can run as sudo -u mqm runmqsc <qmgrname>
Using setmqaut I have given permission to connect to the qmgr, but I see that I am able to perform tall the operations like start and stop the channels etc.
I have removed the permission for channels.
I donno how I am still able to do perform all the operations even though I have jus given "connect" permission |
|
| Back to top |
|
|
| PaulClarke |
| Posted: Wed May 21, 2014 8:12 pm Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
RUNMQSC is a setuid program which means that when it runs it effectively runs with 'mqm' authority, this can make it tricky to allow lower levels of authority.
I've not tried it but there are these instructions here:
http://www-01.ibm.com/support/docview.wss?uid=swg21027203
Alternatively you could use a program like my MO72 SupportPac or the MQSCX product. These programs are not setuid programs and are just normal MQI programs capable of running either locally connected or over a client connection. Consequently the MQ authorities work the same as for any other application of that type and limiting the authorities by the user running the program works as expected.
Regards,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu May 22, 2014 3:17 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqlover wrote: |
Now I can run as sudo -u mqm runmqsc <qmgrname>
Using setmqaut I have given permission to connect to the qmgr, but I see that I am able to perform tall the operations like start and stop the channels etc. |
You are running the program as mqm because you switched to the mqm ID. The mqm ID and any other IDs in the mqm group have 100% access to all the MQ objects in runmqsc, and you can't add or subtract any permissions for them.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 22, 2014 4:50 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqlover wrote: |
| I donno how I am still able to do perform all the operations even though I have jus given "connect" permission |
Because you used sudo to switch from your id to the mqm id when you ran runmqsc. So whatever permissions you have are irrelevant.
Note you don't need to be mqm to run the runmqsc application. It's just very very hard to do anything with it without.
So you could use sudo -u pingo runmqsc and it would work (assuming pingo has OS access to runmqsc) & run with whatever authorities the pingo id has.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqlover |
| Posted: Thu May 22, 2014 6:56 pm Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
the runmqsc command below has permission :
ls -l /usr/bin/runmqsc
lrwxrwxrwx 1 root system 20 Feb 22 2012 /usr/bin/runmqsc -> /usr/mqm/bin/runmqsc
I tried doing runmqsc using the non mqm user id but got the below error:
sudo -u nonmqmid runmqsc <qmgrName>
Sorry, user nonmqmid is not allowed to execute '/usr/bin/runmqsc <qmgrName>'
Kindly need your guidance on how to proceed with this kind of setup. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri May 23, 2014 2:55 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Read what PaulClarke wrote, including the link he provided.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri May 23, 2014 7:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqlover wrote: |
the runmqsc command below has permission :
ls -l /usr/bin/runmqsc
lrwxrwxrwx 1 root system 20 Feb 22 2012 /usr/bin/runmqsc -> /usr/mqm/bin/runmqsc
I tried doing runmqsc using the non mqm user id but got the below error:
sudo -u nonmqmid runmqsc <qmgrName>
Sorry, user nonmqmid is not allowed to execute '/usr/bin/runmqsc <qmgrName>'
Kindly need your guidance on how to proceed with this kind of setup. |
You're forgetting that the link permissions do not reflect the actual permissions.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqlover |
| Posted: Mon May 26, 2014 7:49 pm Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
Thanks for the suggestions.
As mentioned the actual location of runmqsc has the following permission :
ls -l /usr/mqm/bin/runmqsc
-r-sr-s--x 1 mqm mqm 16786 Oct 15 2011 /usr/mqm/bin/runmqsc
Well, As mentioned inn the link shared by PaulClarke, it says to execute chmod +r AMQCLCHL.TAB and chmod +r AMQRSYNA.DAT. Should this be executed as mqm or nonmqmid ?
It currently has the permission :
-rw-rw---- 1 mqm mqm 2042 Feb 22 2012 AMQCLCHL.TAB
-rw-rw---- 1 mqm mqm 9264 Apr 06 20:12 AMQRSYNA.DAT
Anything I do I am not able to execute "runmqsc <qmgrname>" from a nonmqmid.
So need guidance as well.
Thanks in advance |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 27, 2014 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
possibly because as non mqm id you have execute without read?
The permissions should probably be r-sr-sr-x....
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
