| Author |
Message
|
| mqdogsbody |
 Posted: Thu Jun 14, 2012 2:21 am Post subject: Group memberships of user mqm |
 |
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
We have had a tightening up of access and one one side effect has been that user mqm can no longer access the IBM-supplied log purging script.
I assumed that they'd just grant group mqm access but, oh no, the people in charge wanted to change mqm's primary group. Aaaaaargh! (Is that enough a's? Probably not!)
Anyway, I hope this is a silly question but I am cautious (too cautious) and conscious that I am a rank amateur (but yet a one-eyed man, it would seem, in this kingdom).
Will any unpleasant side-effects result from user mqm being granted membership of some arbitrary group?
_________________
-- mqDB -- |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Jun 14, 2012 3:11 am Post subject: Re: Group memberships of user mqm |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqdogsbody wrote: |
| We have had a tightening up of access and one one side effect has been that user mqm can no longer access the IBM-supplied log purging script. |
Supplied as in one of the SupportPacs?
| mqdogsbody wrote: |
| I assumed that they'd just grant group mqm access but, oh no, the people in charge wanted to change mqm's primary group. |
No, no, and thrice no! Do not change user mqm[/] primary group, just add user [i]mqm to other groups as necessary; there's good reason for the mqm group and user.
| mqdogsbody wrote: |
| Aaaaaargh! (Is that enough a's? Probably not!) |
There's never enough, and I feel your pain.
| mqdogsbody wrote: |
| Anyway, I hope this is a silly question but I am cautious (too cautious) and conscious that I am a rank amateur (but yet a one-eyed man, it would seem, in this kingdom). |
 - it works for a lot of us
| mqdogsbody wrote: |
| Will any unpleasant side-effects result from user mqm being granted membership of some arbitrary group? |
Very much so if someone is daft enough to grant authorities to user mqm as a principle rather than as a group (assuming UNIX here).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Thu Jun 14, 2012 3:36 am Post subject: Re: Group memberships of user mqm |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
Thanks for your reply.
| exerk wrote: |
| (assuming UNIX here). |
Yes, I mean to say that we are on Solaris.
| exerk wrote: |
| Very much so if someone is daft enough to grant authorities to user mqm as a principle rather than as a group. |
I repeatedly make the mistake of ruling out the possibility of daftness...
Anyway, we said "no" in fairly strong terms!
But (excuse my ignorance) why would the impact of granting membership of a new (non-primary) group be worse if someone had granted authorities to user mqm rather than group mqm? (And I hope that in rewording what you say I haven't obscured some subtlety.)
| exerk wrote: |
| Supplied as in one of the SupportPacs? |
It predates my arrival. All I know is "we got it from IBM". It doesn't say that it's a SupportPac and the author doesn't seem to have been an IBM employee. The dates on it are 1998-2001. Hmmmm... but we have been using it since at least 2001 and have had no problems (until some bureaucrat took away mqm's read access).
_________________
-- mqDB -- |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 14, 2012 4:00 am Post subject: Re: Group memberships of user mqm |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqdogsbody wrote: |
| But (excuse my ignorance) why would the impact of granting membership of a new (non-primary) group be worse if someone had granted authorities to user mqm rather than group mqm? (And I hope that in rewording what you say I haven't obscured some subtlety.) |
Because on UNIX, granting authorities to a principal grants the same authorities to everyone in that principal's primary group (lots of discussion about that within the forums hereabouts) and just who else might be put in the group? And you stated that 'they' wanted to change user mqm's primary group.
| mqdogsbody wrote: |
| exerk wrote: |
| Supplied as in one of the SupportPacs? |
It predates my arrival. All I know is "we got it from IBM". It doesn't say that it's a SupportPac and the author doesn't seem to have been an IBM employee. The dates on it are 1998-2001. Hmmmm... but we have been using it since at least 2001 and have had no problems (until some bureaucrat took away mqm's read access). |
Get them to reinstate the access, or move the script to where user mqm does have access.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Thu Jun 14, 2012 4:35 am Post subject: Re: Group memberships of user mqm |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
| exerk wrote: |
| And you stated that 'they' wanted to change user mqm's primary group. |
Yes, they did. I certainly wasn't going to allow that; I was just astounded that they'd propose that without consultation. (Since it's one support group talking to another they might have gone and implemented it too.)
| exerk wrote: |
| Because on UNIX, granting authorities to a principal grants the same authorities to everyone in that principal's primary group |
Yes, I do know that. (I do wonder why IBM implemented it like that.)
| exerk wrote: |
| just who else might be put in the group? |
Indeed. I hoped it would be nobody but mqadmin. Our standard admin jobs run as mqadmin and when ad-hoc action is needed we log in as mqadmin.
However, I had a look and there are a lot of users in there. I view that as the problem to solve: more control need to be exerted over who is put into mqm. But I think that these are mostly support users and shouldn't have the power to run any of our apps. I am still going to flag it up though.
My current and primary concern is only that granting membership of a new (non-primary) group might have a negative impact on the operation of our QMs. I don't want them to break! I think it's unlikely but I don't get much of a warm feeling by being able to say "I can't think of any reason right now why there'd be a problem". What do I know? (I am supposed to be a C++ programmer.)
| exerk wrote: |
| Get them to reinstate the access, or move the script to where user mqm does have access. |
If only it were that easy. The revocation order comes from on high. And the location of the script is the result of our (highly-structured and controlled) build-and-release system. (I can override it temporily but not permanently.)
(Sorry, I must learn to be less chatty and stick to the point!)
_________________
-- mqDB -- |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Thu Jun 14, 2012 4:44 am Post subject: Re: Group memberships of user mqm |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
| exerk wrote: |
| No, no, and thrice no! Do not change user mqm primary group |
That is exactly what I meant by "Aaaaaargh!" Sorry if it wasn't clear.
("Aaaaaargh!" means "Don't do that!" or "Are they/you crazy?" I have another interjection that can be exanded at will, "yeeeeeeeeeeeugh", meaning "I don't like that", "That's disgusting!"... The more a's or e's the stronger the emotion.)
_________________
-- mqDB -- |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 14, 2012 4:46 am Post subject: Re: Group memberships of user mqm |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqdogsbody wrote: |
| exerk wrote: |
| Because on UNIX, granting authorities to a principal grants the same authorities to everyone in that principal's primary group |
Yes, I do know that. (I do wonder why IBM implemented it like that.) |
I think that's a UNIX-specific thing rather than an IBM-specific.
| mqdogsbody wrote: |
| exerk wrote: |
| Get them to reinstate the access, or move the script to where user mqm does have access. |
If only it were that easy. The revocation order comes from on high. And the location of the script is the result of our (highly-structured and controlled) build-and-release system. (I can override it temporily but not permanently.) |
Ah! Ivory Tower Syndrome, i.e. management thinking they know how something works as opposed to knowing how something works 
| mqdogsbody wrote: |
| (Sorry, I must learn to be less chatty and stick to the point!) |
You'd be surprised how much information can be transmitted via anecdotal comments.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Thu Jun 14, 2012 4:51 am Post subject: Re: Group memberships of user mqm |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
| exerk wrote: |
| Ah! Ivory Tower Syndrome, i.e. management thinking they know how something works as opposed to knowing how something works :D |
If you hear me use the phrase "strategic management decision"you'll know what I mean.
_________________
-- mqDB -- |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jun 14, 2012 4:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So if a) the script has to stay in one place and b) the mqm user has to be able to run the script, the normal thing to do is change the ownership/permissions on the script (and necessary parent directories) such that the mqm user can then run the script.
If, somehow, that's not possible, then you use a symlink to "keep the file in the right place" and then change the process that runs the script to run the symlink rather than the actual script. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 14, 2012 4:53 am Post subject: Re: Group memberships of user mqm |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| mqdogsbody wrote: |
| exerk wrote: |
| Because on UNIX, granting authorities to a principal grants the same authorities to everyone in that principal's primary group |
Yes, I do know that. (I do wonder why IBM implemented it like that.) |
I think that's a UNIX-specific thing rather than an IBM-specific. |
| mqdogsbody wrote: |
| If only it were that easy. The revocation order comes from on high. |
One of our regulars will be along in a moment to explain how you can get manangement at any level to fall in line with whatever is the technological best practice and in defiance of any previously agreed management idiocy, while simultaniously pouring money into the training budget.
The rest of us feel your pain.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Fri Jun 15, 2012 5:17 am Post subject: Re: Group memberships of user mqm |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
| exerk wrote: |
| mqdogsbody wrote: |
| (I do wonder why IBM implemented it like that.) |
I think that's a UNIX-specific thing rather than an IBM-specific. |
If someone has the time to explain, I am curious. I assumed it was implemented by IBM and that they chose to do it like that. Do they rely on some Unix facility that forces this?
_________________
-- mqDB -- |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 15, 2012 5:25 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
IMHO IBMs choice to create mqm, and require mqm membership, rather than root membership, was to separate WMQ admin from o/s admin. I believe strongly that they chose well.
A good percentage of problems with mq (as seen here) are from non-WMQ admins with root changing permissions.
If I had a farthing (whatever that is) for every time I shot myself in the foot with my root id...
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 15, 2012 5:44 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| If I had a farthing (whatever that is)... |
One quarter of a penny (from the Anglo-Saxon feorthing [a fourthling or fourth part of]*)
* should you need another pub quiz team member, you know where to find me!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 15, 2012 5:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 15, 2012 5:52 am Post subject: Re: Group memberships of user mqm |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqdogsbody wrote: |
| exerk wrote: |
| mqdogsbody wrote: |
| (I do wonder why IBM implemented it like that.) |
I think that's a UNIX-specific thing rather than an IBM-specific. |
If someone has the time to explain, I am curious. I assumed it was implemented by IBM and that they chose to do it like that. Do they rely on some Unix facility that forces this? |
I do not now nor have I ever worked for the IBM team that developed this, any of which are invited to post corrections, but I've always believed they're leveraging the Unix security methods under the covers to build and check ACLs with dummy file names. Given that mqm must own everything & others own nothing actual control comes from groups. Hence when you specify a principle it must be converted to a group and a primary group is the only group you can be sure an id will have.
Clearly not an authoritative explaination, but my 2 cents (or farthing). What I can say is that the behaviour is clearly documented.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
