| Author |
Message
|
| Reddiough |
 Posted: Fri Mar 09, 2012 5:31 am Post subject: Securing mqsi commands |
 |
|
Novice
Joined: 27 Jun 2001
Posts: 23
|
Hi,
I'm trying to secure mqsi commands for users who are not members of the mqbrkrs group.
What I want is to stop developers from running mqsistart, mqsistop etc. but allow them to run mqsilist, mqsichangetrace etc.
When I look at the executables, they are all setup as.....
rwxr-xr-x
Meaning everyone has access to run them.
When a developer tries to run mqsilist however, they see....
Failed to open file /var/mqsi/registry/utility/HASharedWorkPath with error The file access permissions do not allow the specified action.
This looks like a pretty horrible error for something quite straightforward.
Anyone have and great ideas on how this should be setup to provide access to a subset of the commands ?
I'd rather not change the permissions on the individual commands. For starters this might get changed back when maintenance is applied etc.
Anyone ?
Tony.
_________________
Tony Reddiough
Certified MQSeries Consultant |
|
| Back to top |
|
 |
| Reddiough |
| Posted: Fri Mar 09, 2012 5:52 am Post subject: |
|
|
Novice
Joined: 27 Jun 2001
Posts: 23
|
Should have said, this is broker v7 on AIX. If that makes any difference.
_________________
Tony Reddiough
Certified MQSeries Consultant |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 09, 2012 5:57 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Broker commands should only be run by the Broker service Id. Individual people should not run Broker commands directly. A user should always sudo to the Broker service Id first, then run the Broker commands. No one should be a member of mqbrkrs group directly. You control access to the Broker service Id through the sudo mechanism. Anyone whom you do not want to run mqsi commands should not be allowed to sudo into the Broker service Id. Chapter 6 of the installation guide provides requisite steps to configure a Broker installation. The file permissions you posted don't look accurate to me. Did you follow Chapter 6's step-by-step instructions?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Mar 09, 2012 6:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Set up some simple scripts to invoke just the commands you want to allow (you can pass the parms straight through if you want).
Enable the set-gid flag and the group owner (on this script file) as mqbrkrs (or the set-uid flag with the broker id as user owner).
Then these commands will run under the right authority when executed (no sudo needed).
If you want to restrict who can execute them, either do this inside the script itself or use the PUTACL, GETACL extensions on AIX for adding the groups with execute access (and take it off world execute). |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 09, 2012 6:32 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| zpat wrote: |
Set up some simple scripts to invoke just the commands you want to allow (you can pass the parms straight through if you want).
Enable the set-gid flag and the group owner (on this script file) as mqbrkrs (or the set-uid flag with the broker id as user owner).
Then these commands will run under the right authority when executed (no sudo needed).
If you want to restrict who can execute them, either do this inside the script itself or use the PUTACL, GETACL extensions on AIX for adding the groups with execute access (and take it off world execute). |
I disagree that no sudo is needed. If the user calling mqsi commands does not have primary group Id set to mqbrkrs group, then the commands will hang the Broker instance and DataFlowEngine. This is a documented behaviour. Sudo ensures that the same Id is used with the same primary group. The ownership of the semaphore locking the DataFlowEngine can only be obtained by the same group Id that created it. Since semaphore ownership calls depend on the primary group Id, if they are different, the DFE will hang.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Reddiough |
| Posted: Fri Mar 09, 2012 6:36 am Post subject: |
|
|
Novice
Joined: 27 Jun 2001
Posts: 23
|
Ok - appreciate this is a stupid question, but I'm using the IBM info centre for my books and I don't have chapter numbers.
So what is the title of Chapter 6 ?
Appreciate your help btw.
_________________
Tony Reddiough
Certified MQSeries Consultant |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 09, 2012 6:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| I disagree that no sudo is needed. |
I think what @zpat is getting at is that no sudo is needed by the guy running the script; the script itself will perform that. In this way you limit the amount of access to the service id.
At least, that's what I've done to achieve this sort of thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 09, 2012 6:41 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Reddiough wrote: |
Ok - appreciate this is a stupid question, but I'm using the IBM info centre for my books and I don't have chapter numbers.
So what is the title of Chapter 6 ?
Appreciate your help btw. |
ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V7.0/messagebroker_InstallationGuide.pdf
Chapter 6. Preparing the system
Many people skip over the steps contained in Chapter 6. Then they wonder why the system has runtime problems. The order of the steps is extremely important. For example, setting up the users, groups, and other things before you install the binaries, not after. Think about it: if the groups are set after the binaries are installed, do you think the files on the file system will reflect the correct group Id?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 09, 2012 6:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| Reddiough |
| Posted: Fri Mar 09, 2012 6:54 am Post subject: |
|
|
Novice
Joined: 27 Jun 2001
Posts: 23
|
Thanks for the links. I didn't do the installation myself, where I work, the unix guys did. They tell me they followed the instructions step by step.
Could you just check the permissions on, say mqsilist and let me know what they are for you ?
_________________
Tony Reddiough
Certified MQSeries Consultant |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 09, 2012 6:57 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Reddiough wrote: |
Thanks for the links. I didn't do the installation myself, where I work, the unix guys did. They tell me they followed the instructions step by step.
Could you just check the permissions on, say mqsilist and let me know what they are for you ? |
Unfortunately, I'm in the same boat you are. Our installation was done four years ago incorrectly. Someone else will have to validate the file ownerships.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Mar 09, 2012 8:24 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Vitor wrote: |
| lancelotlinc wrote: |
| I disagree that no sudo is needed. |
I think what @zpat is getting at is that no sudo is needed by the guy running the script; the script itself will perform that. In this way you limit the amount of access to the service id.
At least, that's what I've done to achieve this sort of thing. |
Correct - using setuid or setgid (or both) results in the command (script) running with the authority of its owning userid or groupid when executed. This does not use sudo, although it is analogous to it - RTM. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Mar 09, 2012 8:30 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
I agree that both ways will work. One reason why I like sudo is the access to the Ids are logged. A SysAdmin can see who did what to whom after the fact.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Reddiough |
| Posted: Fri Mar 09, 2012 8:32 am Post subject: |
|
|
Novice
Joined: 27 Jun 2001
Posts: 23
|
That's fine then. The commands I want to allow the developers to run are mainly to let them turn on debug trace, read log etc. I'm going to write a script that wraps all these commands and then I can have the script run as the broker userid.
This also has the benefits of making sure trace is always turned off each time and controlling where the output goes etc.
Still not sure why the file permissions are the way they are but it looks like I can provide what I need with the script.
Thanks everyone for their help.
Tony.
_________________
Tony Reddiough
Certified MQSeries Consultant |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 09, 2012 8:45 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| One reason why I like sudo is the access to the Ids are logged. A SysAdmin can see who did what to whom after the fact. |
That's a very good idea if you've delegated potentially damaging commands (where mqsistop is a damaging command in a development environment used by multiple teams). If all the script does is run trace then most admins have better things to care about.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
