| Author |
Message
|
| GregJ |
 Posted: Tue Aug 20, 2002 6:15 am Post subject: Read only UNIX account with MQ Access |
 |
|
Acolyte
Joined: 24 Oct 2001
Posts: 69
Location: Markham, On. Canada
|
Hi, I'm not to familiar with UNIX so forgive me if this is a stupid question.
I need to have a UNIX account that has only read access in the UNIX system. I do however need this account to be able to fully administer MQSeries (start stop channels, qmgrs etc...)
The problem is due to another group at the office who is responsible for MQSeries administration, well they keep screwing with our cron's. We want them to keep administering MQ - but leave the rest alone.
Do I just create a read only unix account and add it to the MQM group;
or is there another (more secure) way? I know there is setmqauth, but i don't know how to use it
Thanks in advance |
|
| Back to top |
|
 |
| vennela |
| Posted: Tue Aug 20, 2002 12:14 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
Greg
You can't administer with just read permissions. You need to have executable permissions. If you want to use a command like "runmqlsr" and if you don't have the execute permissions to that executable then it throws an error.
You better try giving read and execute permissions to that user. However you can limit the permissions (exec permissions) to a few needed executables (pertaining to MQ).
Even if you set permissions using setmqauth you need to have execute permissions.
Venny |
|
| Back to top |
|
|
| bduncan |
| Posted: Tue Aug 20, 2002 4:50 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
It seems that they should only be able to "screw" with the cron jobs associated with the user they are logged in as. Perhaps you should migrate all MQ-related cron jobs to the mqm user, and any others to root?
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| GregJ |
| Posted: Tue Aug 20, 2002 5:31 pm Post subject: |
|
|
Acolyte
Joined: 24 Oct 2001
Posts: 69
Location: Markham, On. Canada
|
Would they need exe permissions to just start and stop channels and empty the odd queue here and there?
They are logging in as mqm currently
...And thanks for your reply |
|
| Back to top |
|
|
| vennela |
| Posted: Tue Aug 20, 2002 6:33 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| Yes you do need exe permissions even to start or stop a QM. |
|
| Back to top |
|
|
| dgolding |
| Posted: Tue Aug 20, 2002 9:52 pm Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
Greg
If your users are logged in as mqm (or part of the mqm group) you should find they have NO special privilege outside of the /var/mqm and /opt/mqm directories. Removing execute rights for mqm can be dangerous as the queue manager needs to start jobs - e.g. trigger monitor and channel initiator processes.
As for cron, as Brandon points out, they should only be able to change "mqm"-owned cron jobs.
"Adjusting" permissions on directories and executables in the mqm directory can lead to a lot of grief.
HTH
regards
Don |
|
| Back to top |
|
|
|
|
