| Author |
Message
|
| abiondo |
 Posted: Tue Jan 15, 2008 2:50 pm Post subject: Allowing access to SYSTEM.DEFAULT.MODEL.QUEUE |
 |
|
Novice
Joined: 30 Aug 2007
Posts: 21
Location: Philadelphia, PA
|
Our developer is asking for access to the SYSTEM.DEFAULT.MODEL.QUEUE and possibly SYSTEM.ADMIN.COMMAND.QUEUE for an application he has written. I am wondering if there are any security concerns to allowing this access. He is writing a tool for people in the business to retreive queue names, and monitor what is on the queue.
Any insight you can provide would be much appreciated.
thanks,
Anthony
_________________
Anthony J Biondo Jr
Manager, Web Services
AmeriHealth Mercy |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Jan 15, 2008 2:57 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You'll want to closely scope the user ids that are being authorized from MQ, or tightly audit the code he's written, to ensure that it doesn't allow anonymous full administrative access to the qmgr.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| abiondo |
| Posted: Tue Jan 15, 2008 3:01 pm Post subject: |
|
|
Novice
Joined: 30 Aug 2007
Posts: 21
Location: Philadelphia, PA
|
If I just open the two queues with the following permissions will that allow a lot of harm? I haven't really used PCF messages so I am not sure what they can be used for.
setmqaut -m TESTQM -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g mqmon +dsp +inq +put
setmqaut -m TESTQM -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g mqmon +dsp +inq +get
_________________
Anthony J Biondo Jr
Manager, Web Services
AmeriHealth Mercy |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jan 15, 2008 4:06 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
PCF messages can do most everything to a queue manager, that you can do with MQSC.
Like delete queues or channels or etc.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| manicminer |
| Posted: Wed Jan 16, 2008 1:28 am Post subject: |
|
|
Disciple
Joined: 11 Jul 2007
Posts: 177
|
The MQ Explorer uses PCF messages for all it's communication with remote queue managers. If you allow full access to the admin command queue, the application will be able to do anything that the MQ Explorer does 
As of V6 this also includes Security PCF messages (as used by the OAM plug-in that was released in 6.0.2.0) so with security access to that queue a rogue app could then provide themselves with access to anything else they felt like  |
|
| Back to top |
|
|
| abiondo |
| Posted: Wed Jan 16, 2008 5:54 am Post subject: |
|
|
Novice
Joined: 30 Aug 2007
Posts: 21
Location: Philadelphia, PA
|
He basically just wants to pull a list of queue names back programatically from MQ. Is there any way to limit that? Does he need access to the command queue for that?
thanks,
Anthony
_________________
Anthony J Biondo Jr
Manager, Web Services
AmeriHealth Mercy |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 16, 2008 6:07 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
|
|
