| Author |
Message
|
| Boomn4x4 |
 Posted: Mon Jun 25, 2012 5:05 am Post subject: MQ error logs permissions |
 |
|
Disciple
Joined: 28 Nov 2011
Posts: 172
|
I'm trying to write a script that monitors the /var/mqm/qmgrs/QMGR/errors directory as I have another script that is processing the log files and archiving the files that are no longer needed for replay. I'm essentially just issuing a "du /var/mqm/qmgrs/QMGR/errors" to get a size of the directory. For whatever reason that directory is not world readable. My intent is for my monitoring application run this script and report its results, the application is run as a different user. It seems silly to me that if I want to do nothing more than read the size of the directory that I would have to add that user to the mqm group thereby giving that use full administration access which is not what I want to do.
Are there anyways to change what users have access to read that log directory? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Jun 25, 2012 5:13 am Post subject: Re: MQ error logs permissions |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Boomn4x4 wrote: |
| Are there anyways to change what users have access to read that log directory? |
chmod?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Boomn4x4 |
| Posted: Mon Jun 25, 2012 5:18 am Post subject: Re: MQ error logs permissions |
|
|
Disciple
Joined: 28 Nov 2011
Posts: 172
|
| Vitor wrote: |
| Boomn4x4 wrote: |
| Are there anyways to change what users have access to read that log directory? |
chmod? |
Is that safe? From what I understand, permissions are set quite specifically and for specific reasons.
Also, when new log files are created and the qmgr is stopped/started the permissions roll back. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jun 25, 2012 5:35 am Post subject: Re: MQ error logs permissions |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Boomn4x4 wrote: |
| Is that safe? From what I understand, permissions are set quite specifically and for specific reasons. |
They are, but you need to balance the "safety" of changing the file permissions with the "safety" of running an application which is monitoring the queue manager (an administrative function) outside the administrative group. IHMO it's safer, easier & more convienient to have proper controls over the application and what it's doing, then run it inside mqm.
| Boomn4x4 wrote: |
| Also, when new log files are created and the qmgr is stopped/started the permissions roll back. |
That sounds like the chmod is not applied properly, i.e. with proper reference to how that file system permissions are set up. You're correct in saying that a simple chmod doesn't work; I'm correct in saying the chmod command can be used to achieve the effect you're looking for.
I question the wisdom of doing that.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 25, 2012 6:04 am Post subject: Re: MQ error logs permissions |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Boomn4x4 wrote: |
| I'm trying to write a script that monitors the /var/mqm/qmgrs/QMGR/errors directory as I have another script that is processing the log files and archiving the files that are no longer needed for replay... |
There are no files in that directory required for replay; the only files that should be there are the three AMQERR logs. If, on the other hand you mean the content of /var/mqm/logs then that is a different matter and there are at least two SupportPacs out there which should be of use to you before you reinvent the wheel.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jun 25, 2012 2:21 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
http://www-01.ibm.com/support/docview.wss?uid=swg21446338
| Quote: |
The following information describes the security applied to the files and directories under /var/mqm/ and why the file-system permissions are set as they are.
In order to ensure the correct operation of the WebSphere MQ it is not recommended that you alter the file system permissions as set by WebSphere MQ.
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
