ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Securing mqsi commands

Post new topic  Reply to topic Goto page 1, 2  Next
 Securing mqsi commands « View previous topic :: View next topic » 
Author Message
Reddiough
PostPosted: Fri Mar 09, 2012 5:31 am    Post subject: Securing mqsi commands Reply with quote

Novice

Joined: 27 Jun 2001
Posts: 23

Hi,
I'm trying to secure mqsi commands for users who are not members of the mqbrkrs group.

What I want is to stop developers from running mqsistart, mqsistop etc. but allow them to run mqsilist, mqsichangetrace etc.

When I look at the executables, they are all setup as.....

rwxr-xr-x

Meaning everyone has access to run them.

When a developer tries to run mqsilist however, they see....

Failed to open file /var/mqsi/registry/utility/HASharedWorkPath with error The file access permissions do not allow the specified action.

This looks like a pretty horrible error for something quite straightforward.

Anyone have and great ideas on how this should be setup to provide access to a subset of the commands ?

I'd rather not change the permissions on the individual commands. For starters this might get changed back when maintenance is applied etc.

Anyone ?

Tony.
_________________
Tony Reddiough
Certified MQSeries Consultant
Back to top
View user's profile Send private message Send e-mail
Reddiough
PostPosted: Fri Mar 09, 2012 5:52 am    Post subject: Reply with quote

Novice

Joined: 27 Jun 2001
Posts: 23

Should have said, this is broker v7 on AIX. If that makes any difference.
_________________
Tony Reddiough
Certified MQSeries Consultant
Back to top
View user's profile Send private message Send e-mail
lancelotlinc
PostPosted: Fri Mar 09, 2012 5:57 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Broker commands should only be run by the Broker service Id. Individual people should not run Broker commands directly. A user should always sudo to the Broker service Id first, then run the Broker commands. No one should be a member of mqbrkrs group directly. You control access to the Broker service Id through the sudo mechanism. Anyone whom you do not want to run mqsi commands should not be allowed to sudo into the Broker service Id. Chapter 6 of the installation guide provides requisite steps to configure a Broker installation. The file permissions you posted don't look accurate to me. Did you follow Chapter 6's step-by-step instructions?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Fri Mar 09, 2012 6:26 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

Set up some simple scripts to invoke just the commands you want to allow (you can pass the parms straight through if you want).

Enable the set-gid flag and the group owner (on this script file) as mqbrkrs (or the set-uid flag with the broker id as user owner).

Then these commands will run under the right authority when executed (no sudo needed).

If you want to restrict who can execute them, either do this inside the script itself or use the PUTACL, GETACL extensions on AIX for adding the groups with execute access (and take it off world execute).
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Fri Mar 09, 2012 6:32 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

zpat wrote:
Set up some simple scripts to invoke just the commands you want to allow (you can pass the parms straight through if you want).

Enable the set-gid flag and the group owner (on this script file) as mqbrkrs (or the set-uid flag with the broker id as user owner).

Then these commands will run under the right authority when executed (no sudo needed).

If you want to restrict who can execute them, either do this inside the script itself or use the PUTACL, GETACL extensions on AIX for adding the groups with execute access (and take it off world execute).


I disagree that no sudo is needed. If the user calling mqsi commands does not have primary group Id set to mqbrkrs group, then the commands will hang the Broker instance and DataFlowEngine. This is a documented behaviour. Sudo ensures that the same Id is used with the same primary group. The ownership of the semaphore locking the DataFlowEngine can only be obtained by the same group Id that created it. Since semaphore ownership calls depend on the primary group Id, if they are different, the DFE will hang.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
Reddiough
PostPosted: Fri Mar 09, 2012 6:36 am    Post subject: Reply with quote

Novice

Joined: 27 Jun 2001
Posts: 23

Ok - appreciate this is a stupid question, but I'm using the IBM info centre for my books and I don't have chapter numbers.

So what is the title of Chapter 6 ?

Appreciate your help btw.
_________________
Tony Reddiough
Certified MQSeries Consultant
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Fri Mar 09, 2012 6:36 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

lancelotlinc wrote:
I disagree that no sudo is needed.


I think what @zpat is getting at is that no sudo is needed by the guy running the script; the script itself will perform that. In this way you limit the amount of access to the service id.

At least, that's what I've done to achieve this sort of thing.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Fri Mar 09, 2012 6:41 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Reddiough wrote:
Ok - appreciate this is a stupid question, but I'm using the IBM info centre for my books and I don't have chapter numbers.

So what is the title of Chapter 6 ?

Appreciate your help btw.


ftp://public.dhe.ibm.com/software/integration/wbibrokers/docs/V7.0/messagebroker_InstallationGuide.pdf

Chapter 6. Preparing the system

Many people skip over the steps contained in Chapter 6. Then they wonder why the system has runtime problems. The order of the steps is extremely important. For example, setting up the users, groups, and other things before you install the binaries, not after. Think about it: if the groups are set after the binaries are installed, do you think the files on the file system will reflect the correct group Id?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Fri Mar 09, 2012 6:43 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

He really means the steps listed here.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/bh26031_.htm
Back to top
View user's profile Send private message
Reddiough
PostPosted: Fri Mar 09, 2012 6:54 am    Post subject: Reply with quote

Novice

Joined: 27 Jun 2001
Posts: 23

Thanks for the links. I didn't do the installation myself, where I work, the unix guys did. They tell me they followed the instructions step by step.

Could you just check the permissions on, say mqsilist and let me know what they are for you ?
_________________
Tony Reddiough
Certified MQSeries Consultant
Back to top
View user's profile Send private message Send e-mail
lancelotlinc
PostPosted: Fri Mar 09, 2012 6:57 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Reddiough wrote:
Thanks for the links. I didn't do the installation myself, where I work, the unix guys did. They tell me they followed the instructions step by step.

Could you just check the permissions on, say mqsilist and let me know what they are for you ?


Unfortunately, I'm in the same boat you are. Our installation was done four years ago incorrectly. Someone else will have to validate the file ownerships.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Fri Mar 09, 2012 8:24 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

Vitor wrote:
lancelotlinc wrote:
I disagree that no sudo is needed.


I think what @zpat is getting at is that no sudo is needed by the guy running the script; the script itself will perform that. In this way you limit the amount of access to the service id.

At least, that's what I've done to achieve this sort of thing.


Correct - using setuid or setgid (or both) results in the command (script) running with the authority of its owning userid or groupid when executed. This does not use sudo, although it is analogous to it - RTM.
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Fri Mar 09, 2012 8:30 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

I agree that both ways will work. One reason why I like sudo is the access to the Ids are logged. A SysAdmin can see who did what to whom after the fact.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
Reddiough
PostPosted: Fri Mar 09, 2012 8:32 am    Post subject: Reply with quote

Novice

Joined: 27 Jun 2001
Posts: 23

That's fine then. The commands I want to allow the developers to run are mainly to let them turn on debug trace, read log etc. I'm going to write a script that wraps all these commands and then I can have the script run as the broker userid.

This also has the benefits of making sure trace is always turned off each time and controlling where the output goes etc.

Still not sure why the file permissions are the way they are but it looks like I can provide what I need with the script.

Thanks everyone for their help.

Tony.
_________________
Tony Reddiough
Certified MQSeries Consultant
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Fri Mar 09, 2012 8:45 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

lancelotlinc wrote:
One reason why I like sudo is the access to the Ids are logged. A SysAdmin can see who did what to whom after the fact.


That's a very good idea if you've delegated potentially damaging commands (where mqsistop is a damaging command in a development environment used by multiple teams). If all the script does is run trace then most admins have better things to care about.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Securing mqsi commands
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.