Author |
Message
|
Twilight |
Posted: Mon Jul 13, 2009 10:18 am Post subject: OAM security problem |
|
|
 Apprentice
Joined: 04 Aug 2004 Posts: 49
|
Hi,
I tried to give an access to queue object to userid under AIX but it looks like no effect at all.
I did as below:
setmqaut -m TESTQMGR -t queue -n MY.TEST.QUEUE -p mquser +get +put
+browse +dsp
also, I gave same authorities to group -g mqgroup.
dspmqaut shows right authorities to user mquser and group mqgroup.
but still, userid mquser can't put a msg or issue dsp command.
I got MQRC=2035 all the time. only user "mqm" can put a msg at this point.
Anything I missed ?
thanks in advance.  |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jul 13, 2009 10:25 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Are you sure the 2035 is coming from the put, or could it be coming from the connect? Are you sure mquser is a member of mqgroup?
(Authorities on AIX are at group level, not principle)
If you're sure all the permissions are correct, enable security events and see what's failing. Be sure to disable them again once you've found the problem or you'll be knee deep in event messages! _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Twilight |
Posted: Mon Jul 13, 2009 10:45 am Post subject: |
|
|
 Apprentice
Joined: 04 Aug 2004 Posts: 49
|
I'm using BlockIP2 channel exit that shows log details it passed connection fine.
that's why mqm worked ok, I think.
I may turn on sec event to trace this.
thanks for advice. _________________ WMQ/WMQI/WBI Consultant
Toronto, Canada |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jul 13, 2009 11:10 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Twilight wrote: |
I'm using BlockIP2 channel exit that shows log details it passed connection fine. |
I think you'll find that indicates the exit didn't block the connection, not that the connection was allowed by the queue manager.
Twilight wrote: |
that's why mqm worked ok, I think. |
No, mqm works because it's not passed to the OAM. The mqm user is allowed to do anything and indeed can't (via OAM) be disallowed.
Twilight wrote: |
I may turn on sec event to trace this. |
Solid plan.  _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
Twilight |
Posted: Mon Jul 13, 2009 11:44 am Post subject: |
|
|
 Apprentice
Joined: 04 Aug 2004 Posts: 49
|
I got an event on QMGR.EVENT. it shows userid and windows program I used to MQPUT after sec event on.
there is no channel name on QMGR.EVENT queue.
It looks like 1. exit passed wrong userid padded with blank or something
2. amqsputc requires auth also ?
3. svrconn needs auth too ?
tnks. |
|
Back to top |
|
 |
Twilight |
Posted: Mon Jul 13, 2009 12:42 pm Post subject: |
|
|
 Apprentice
Joined: 04 Aug 2004 Posts: 49
|
you're right.
mquser don't have authority to connect Qmgr.
I gave mquser to +connect as below:
setmqaut -m TEST.QMGR -t qmgr -p mquser +connect
thanks a lot.  _________________ WMQ/WMQI/WBI Consultant
Toronto, Canada |
|
Back to top |
|
 |
|