| Author |
Message
|
| pfarrel |
 Posted: Thu Mar 23, 2006 6:12 am Post subject: MQ V6 Explorer Security Issues |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I have been testing the MQ V6 Explorer Eclipse Administration Tool, and I have discovered what appear to be some security issues. I have MQ V6 installed on Windows/2000 server with MQ at the 6.0.1.0 level.
These issues include:
- not being able to display all queues if not in the mqm group.
- Being able to issue start/stop on a channel when not in the mqm group, and +ctrl not granted to user.
Has anyone uncovered any problems of a similar nature ? Are there any known security problems with the V6 explorer ?
Thanks ! |
|
| Back to top |
|
 |
| msantos007 |
| Posted: Thu Mar 23, 2006 7:37 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
if you are not in the mqm group, you´re not supposed to do these things. You don´t have any administrative permissions. It´s not a bug
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Mar 23, 2006 10:14 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| I believe that the explorer was for use only by users in the mqq group in MQ V5, but not so in MQ V6. The MQ V6 System Administration Guide manual states this ( chapter 7, page 84 ). It says that any user can use the WebSphere MQ Explorer, and that you need to grant some permissions. The permssions that you need if you are not in the mqm group are laid out in some detail. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 11:31 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
ok ...
I´ll try to explain it:
in windows / unix / linux versions, all users on mqm group are MQ administrators, they have administrative privileges on mq. It doesn´t mean that all mq administrators must be in the mqm group. Every single group or user that has the administrative permissions given by OAM are able to admin mq. But if you don´t have any permissions given by OAM and you´re not in the mqm group you can´t even connect to a queue manager. On windows systems, the Administrators and the Domain Administrators(domain mqm too) groups are also allowed to admin mq.
if you want to give permissions to a user to do anything, look for the commands setmqaut and dspmqaut(System Administration Guide)
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Mar 23, 2006 12:19 pm Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
Yes, I have done that.
I have used the setmqaut command to provide all the necessary authorizations to a user who is not in the mqm group, in order to allow that user to use MQ Explorer. The required authorizations for a user who is not in the mqm group are itemized in the System Administration Guide.
My point is, it is not working as documented.
For example, if I give a user permission to look at the channels, using a command such as:
setmqaut -m QMGR1 -t channel -n ** -p user1 +dsp
Then the user can also start a channel, even though they are not given +ctrl authority.
It appears to be a defect. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Thu Mar 23, 2006 12:22 pm Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
have you tried to give the authorization +alladmin +allmqi ?
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Mar 24, 2006 4:29 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
Good suggestion, but what I really want is for this user to be able to display, but not make any changes.
Those users that can make changes will be in the mqm group. I have a group of application support people who really need display/browse capability, but should not have full admin rights.
I haven't discovered how to give display only, without them getting additional authorizations. I am thinking that there may be a defect if the user can start a channel with only +dsp permission, and not being in any of the groups. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Fri Mar 24, 2006 4:38 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
you could give them the following permissions
+inq -set +connect
this means that they are able to inquire the object attributes, they will not be able to set object attributes and you can set other MQI calls permissions.
But remember, you will have to set these permissions to every single object in each queue manager.
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Mar 24, 2006 4:41 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
These issues include:
- not being able to display all queues if not in the mqm group.
- Being able to issue start/stop on a channel when not in the mqm group, and +ctrl not granted to user. |
Well.. the first issue seems like it could be okay, since the user might not have +dsp authority to a given queue. Are you saying they have +dsp and the queue isn't being displayed, or the other way around?
Issue #2 is a problem, imho.
Is this a local qmgr or connect via qm client channel?
_________________
-wayne |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Mar 24, 2006 6:50 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I have granted a user display to all queues with the following:
setmqaut -m QMGR1 -t q -n ** -p user1 +dsp +inq +browse
However, this does not permit him to look at the queue list in explorer.
He sees no queues at all.
On the second point, I have granted only +dsp access to the channels, using the following:
setmqaut -m QMGR1 -t channel -n ** -p user1 +dsp
A display of a selected channel shows that this has been granted, as follows:
D:\>dspmqaut -m QMGR1 -n QMGR1.QMGR2 -t channel -p user1
Entity user1 has the following authorizations for object QMGR1.QMGR2 :
dsp
Any yet, with only +dsp authority, he can issue a start for the channel, and the channel does start. |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Mar 24, 2006 7:31 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| Is this a local qmgr or connect via qm client channel? |
_________________
-wayne |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Mar 24, 2006 8:47 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I have tested with both scenarios.
The problem appears to be the same either way. |
|
| Back to top |
|
|
| msantos007 |
| Posted: Fri Mar 24, 2006 9:04 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
what about permission to connect to the queue manager?
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
| pfarrel |
| Posted: Fri Mar 24, 2006 10:07 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I have provided permission to connect to the queue manager.
Here are all the permissions that I used. User named user1 is not in the mqm group on the server where queue manager QMGR1 runs. I am trying to get user1 to have enough authority to look at the objects in the queue manager, but not change anything:
setmqaut -m OMGR1 -t qmgr -p user1 +connect +inq +dsp
setmqaut -m QMGR1 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p user1 +get +browse +inq
setmqaut -m QMGR1 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p user1 +get +browse +inq +put
setmqaut -m QMGR1 -t channel -n ** -p user1 +dsp
setmqaut -m QMGR1 -t q -n ** -p user1 +dsp +inq +browse
setmqaut -m QMGR1 -t q -n SYSTEM.MQEXPLORER.** -p user1 +all
setmqaut -m QMGR1 -t prcs -n ** -p user1 +dsp
setmqaut -m QMGR1 -t listener -n ** -p user1 +dsp
setmqaut -m QMGR1 -t clntconn -n ** -p user1 +dsp
setmqaut -m QMGR1 -t service -n ** -p user1 +dsp
setmqaut -m QMGR1 -t nl -n ** -p user1 +dsp
setmqaut -m QMGR1 -t authinfo -n ** -p user1 +dsp |
|
| Back to top |
|
|
| msantos007 |
| Posted: Fri Mar 24, 2006 10:12 am Post subject: |
|
|
Voyager
Joined: 20 Dec 2004
Posts: 78
|
you will have to set the user as user1@server or server\user1
if you don´t mq will try to authenticate it on its current server
_________________
Maximiliano R. A. Santos
IBM Websphere MQ V6.0 Certified System Administrator
IBM Websphere MQ V5.3 Certified Solution Developer |
|
| Back to top |
|
|
|
|
