| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Queue Manager Security and MQ Explorer |
« View previous topic :: View next topic » |
| Author |
Message
|
| fjb_saper |
 Posted: Mon Nov 16, 2009 10:00 pm Post subject: |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bruce2359 wrote: |
| I checked my Norton Anti-Sarcasm log, and no sarcasm detected. |
Ah but did you check it for sarchasm?? 
@Tybex
Also a common mistake is to believe that MQ authorization on Unix is done at userId level. It is not. In fact if you set it at userid level it will be set for the primary groupid for that user... Not what you might want...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Tue Nov 17, 2009 4:20 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| fjb_saper wrote: |
Also a common mistake is to believe that MQ authorization on Unix is done at userId level. It is not. In fact if you set it at userid level it will be set for the primary groupid for that user... Not what you might want...
Have fun |
Another interesting fact is that if you define a new object using runmqsc from your personal userid, and your primary group is not mqm (ie. you get authority to do this because mqm is one of your secondary groups), MQ will create an OAM profile for your primary group to have full access to the object.
eg. If your primary group is 'allstaff', you have just given everyone on the system access to the MQ object. 
_________________
Glenn |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 20, 2009 5:15 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Dec 11, 2009 3:48 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
A very good point and it happens with GUI tools as well, just tested it with MO71 and my primary Unix group was granted access.
It would be handy if this behaviour could be controlled at the MQ level. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 11, 2009 6:40 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| and it happens with GUI tools as well |
This is a UNIX behavior. Your entire group gets your privileges.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| nathanw |
| Posted: Fri Dec 11, 2009 6:51 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
just to throw another wrench in the works this also applies to domains whereby you could be local admin on your machine but not network and vice versa
for example on my machine i have mqexplorer and i am admin on my machine BUT some qms i can connect and edit but others i can only see due to shared machines and userids on set up etc
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 11, 2009 7:06 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Security, the saying goes, is like an onion - it makes your eyes water.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
