ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » UNIX file and directory permissions.

Post new topic  Reply to topic
 UNIX file and directory permissions. « View previous topic :: View next topic » 
Author Message
tillywern
PostPosted: Wed Jan 04, 2006 1:33 pm    Post subject: UNIX file and directory permissions. Reply with quote

Centurion

Joined: 28 Jan 2003
Posts: 109
Location: Colorado
Ok I Googled the whole site and only found this
http://www.mqseries.net/phpBB2/viewtopic.php?t=956&sid=37d545b07f1ce4256cb748caa2f0d6f2
from a while back.

My clients security team is going crazy over the liberal access granted to "world" on directories and files under /var/mqm and /opt/mqm.

My first take was that it was more of an install issue. When the mqm user id is created the umask set in the default profile of the shell being used. As the product is installed and this umask is used for all file and directory creation.

If this is true that IBM does not attempt to directly control file and directory permissions and the product installer needs to know what they are doing during setup to change the umask. A glance through "Quick Beginnings" does talk about the need for user/group to be mqm/mqm but does not, in the same place, discuss file/directory permissions.

The alternative to umask control is that during the installation IBM tightly controls file and directory permissions and ownership. If this is the case then we have to wonder why world needs so much access to files held deep in the product implementation tree.

A quick glance at a current install on Solaris shows that file/directory permissions for world are in line with our current umask of 0022.

Any other insight or experience in the area would be helpful. I apologize if this is a dupe post.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
jefflowrey
PostPosted: Wed Jan 04, 2006 2:14 pm    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981
What about users who have been setmqaut'ed but are not in mqm? How are they going to link against shared libraries if they don't have permissions to the library files?

If you really need an exact, explicit, fully detailed list of the minimum necessary permissions for every file and directory in /opt/mqm and /var/mqm/, then open a PMR.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
tillywern
PostPosted: Wed Jan 04, 2006 2:31 pm    Post subject: I can conceed for /opt/mqm Reply with quote

Centurion

Joined: 28 Jan 2003
Posts: 109
Location: Colorado
I think we understand why files in the /opt/mqm file system have these types of permissions.

I think the issue is more around why /var/mqm/qmgrs/QMGRNAME/qm.ini is readable by world.

At least "/var/mqm/qmgrs/QMGRNAME/queues/QUEUENAME/q" file grants nothing to the world. This precludes an intruder from getting a copy of that file and the messages on the queue.

My client will be opening an PMR for this. I am arguing that changing permissions on these directories could impact the support agreement with IBM. But you know.... There is no reasoning with security folk.

We could turn the machine off.. Then it would be secure... But this would probably pose a performance issue. O

I just thought to try this venue first.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
mqtypo
PostPosted: Thu Jan 05, 2006 1:17 am    Post subject: Reply with quote

Newbie

Joined: 07 Nov 2005
Posts: 5
qm.ini has to be readable by apps run by any user, i..e the apps need to read qmgr attributes.
The q file is only read by qmgr processes, so it does not need permissions for other.
Back to top
View user's profile Send private message
mvic
PostPosted: Wed Jan 11, 2006 3:22 am    Post subject: Re: I can conceed for /opt/mqm Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080
tillywern wrote:
My client will be opening an PMR for this. I am arguing that changing permissions on these directories could impact the support agreement with IBM.


This issue has been raised with Support many times in the past. It turns out there are technical justifications (which Support should supply if you press them) for each and every point of the security policy. An example is the qm.ini file, which mqtypo mentioned - all apps need to be able to read this, and the only way to enable this on *ix platforms is to grant o+r.

*ix systems have a very coarse security granularity - user, group, other. This is the root cause of the problem here - and it seems likely to me that all other enterprise multiuser software would be in the same position (haven't made a study of that though). MQ itself gives a more granular security model than the file system - but this isn't of much comfort to a *ix systems security manager I guess.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » UNIX file and directory permissions.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.