| Author |
Message
|
| albin |
 Posted: Fri Sep 29, 2006 4:09 am Post subject: Trace node - Unix file permission |
 |
|
Newbie
Joined: 13 Oct 2004
Posts: 6
|
Hello,
In our message flows we have trace nodes for reporting exceptions and they have been defined to write exception errors and message information to external unix files.
The messages flows are working fine and in case of exceptions the trace files are been created successfully with exactly the information we want.
Here is an example of a trace file that is created in the trace node:
-rw-rw---- 1 pmb90 mqbrkrs 32455 Sep 18 11:45 ExceptionError.log
We have an issue with the file permissions:
Message Broker always creates the files with permission 660 (-rw-rw----) which means that only the Broker ID and members of mqbrkrs group have access to read these files. We want to provide access to our support people so they can read these files and act based on the content.
Because of security concerns we don't want to include these users to mqbrkrs group. All what we want is to have Message Broker assigning a permission that allows everybody to read these trace files (e.g. Unix permission 664).
On IBM Website I found something related to this issue but the answer is not helpful:
http://www-1.ibm.com/support/docview.wss?rs=0&q1=mqbrkrs+unix+trace+node&uid=swg21179963&loc=en_US&cs=utf-8&cc=us&lang=en
We are running Message Broker version 6.0 on AIX 5.3 server
Any idea how to do it?
Thanks,
Albin |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Sep 29, 2006 4:12 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
And running chmod on the created trace file doesn't work?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Sep 29, 2006 4:20 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Isn't "umask" in effect?
_________________
-wayne |
|
| Back to top |
|
|
| albin |
| Posted: Fri Sep 29, 2006 6:12 am Post subject: |
|
|
Newbie
Joined: 13 Oct 2004
Posts: 6
|
I missed one piece of information:
Every day at 4:00 AM we have a job that stops the Broker, backups all DB2 databases (Broker DB and other business related databases), move the log files to a backup place, clean up the log folder and starts the broker again.
We have checked the umask for the Broker Id (umask = 22) and actually tested creating a new file with this id under the same log folder to verify that the file has the read permission open to everybody.
Since the Broker starts again and the log folder is empty, only when an exception is found the trace file gets created and Message Broker always assigns permission 660 to this file.
Of course we considered to change the permission manually using chmod but there are reasons why we decided not to do it:
- IBM does not recommend to do it becuase it may cause an error in the Message Broker and we cannot stop processing inbound messages
- We need someone (or a job) with the right Unix authority to run the chmod command on these files and we don't know when an exception is going to happen and a trace file has been created to run the chmod command.
Thanks
Albin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 29, 2006 7:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You should look at sticky bits.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| albin |
| Posted: Tue Oct 03, 2006 11:55 am Post subject: |
|
|
Newbie
Joined: 13 Oct 2004
Posts: 6
|
I wanted to share IBM's answer to this case:
IBM says that "the Files generated by trace nodes are mainly meant for developer debugging / informational purposes which is why they are created with read-write permissions for the owner and groups. There is no way you can modify this as the file itself is created with those permissions. If you would want other users who are not members of mqbrkrs to access these, you can write a cron job which will modify the permissions on a periodic basis. Or you can write the trace entries to the User Log which I presume that your admin has made available to be accessed by all. " |
|
| Back to top |
|
|
|
|
