| Author |
Message
|
| sanjoo |
 Posted: Mon Sep 17, 2012 4:21 am Post subject: File permissions in File Output node in WMB |
 |
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
We are facing a issue with fileoutput node. We are not able to control permission of files created by fileoutput node.
PROBLEM DESCRIPTION: Broker does not honor the broker service user's umask settings and creates files with default permission rw-rw---- (660)
To force the FileOutput node to respect UMASK settings we tried below steps as mentioned in APAR IZ07456 :
1) changed umask settings to the desired level (027) (ie umask u=rwx,g=r,o=)
2) exported MQSI_UMASK_COPY=1
3) restarted WMB
Tried above solution but files are still getting created with '660'. We need files with '640' permissions (ie rw-r-----).
Also tried with umask '022' but still files were created with rw-rw-r-- privileges. When broker creates a file, is it necessary that group (mqbrkrs) should have write privilege on output directory?
Any help/hint will be really appreciated.
Broker version: Message broker 6.1.0.8
OS: AIX 5.3.0.0
Thanks
Sanjoo
{Input directory has '770' privilges for broker service id
Output directory has '740' privileges for broker service id}
_________________
Sanjoo
Keep smiling
 |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Mon Sep 17, 2012 4:55 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Update your 6.1.0.8 to 6.1.0.11. I doubt opening a PMR will result in any code changes since 6.1 will be EOL soon. Better expedite your migration plans to V8.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Sep 17, 2012 5:04 am Post subject: Re: File permissions in File Output node in WMB |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sanjoo wrote: |
| Tried above solution but files are still getting created with '660'. We need files with '640' permissions (ie rw-r-----). |
Why?
| sanjoo wrote: |
| Also tried with umask '022' but still files were created with rw-rw-r-- privileges. When broker creates a file, is it necessary that group (mqbrkrs) should have write privilege on output directory? |
IIRC yes. Again I ask why you're trying to tighten this down. The only reason I can think of is that you're trying to ensure only the service id can create the file rather than any other member of the mqbrkrs group.
Which leads to the obvious questions: what other ids are in that group and why are they there?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Sep 17, 2012 6:19 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
No EOL date for WMB 6.1
IBM are not in the habit of springing such dates on customers at short notice... |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Sep 17, 2012 6:31 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Try setting g+s on the directory above (assuming that directory has permissions of g-w already, otherwise set that first). |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Sep 17, 2012 6:36 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| zpat |
| Posted: Mon Sep 17, 2012 7:11 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
When did that come out?
Actually it's good news, I can use that to bring some pressure to bear. |
|
| Back to top |
|
|
| sanjoo |
| Posted: Mon Sep 17, 2012 8:44 pm Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
| Quote: |
| Update your 6.1.0.8 to 6.1.0.11. I doubt opening a PMR will result in any code changes since 6.1 will be EOL soon. Better expedite your migration plans to V8. |
IZ07456 - BROKER IGNORES USERS UMASK issue is fixed in Message Broker V6 problems fixed in Fix Pack 6.0.0.7. I am already at 6.1.0.8. Will upgrade fix the issue?
| Quote: |
| Again I ask why you're trying to tighten this down. The only reason I can think of is that you're trying to ensure only the service id can create the file rather than any other member of the mqbrkrs group. |
We have some security compliance to meet and for that we need enforce broker to create files with rw-r----- privileges.
But let me put this question differently. Can broker create a file which won't have write privilege for group 'mqbrkrs'? (Broker first writes the file in mqsitransit directory and then copies to output directory.)
Thanks for earlier replies.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| zpat |
| Posted: Tue Sep 18, 2012 12:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Firstly, of all I have provided an alternate to try - why are you ignoring this?
On this owning directory you can set the group name you want to have for the new files created inside it. We do this and it works perfectly for 6.1.0.8.
However you will need to delete the existing mqsixxxx directories and let the broker create them again once you have made the permission changes.
Secondly, WMB 6.0 and WMB 6.1 were maintained in parallel. Therefore you need to check when the APAR fix was released for WMB 6.1. |
|
| Back to top |
|
|
| sanjoo |
| Posted: Tue Sep 18, 2012 3:31 am Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
zpat, thanks a ton. Will try this now.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Sep 18, 2012 4:45 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| sanjoo wrote: |
| But let me put this question differently. Can broker create a file which won't have write privilege for group 'mqbrkrs'? (Broker first writes the file in mqsitransit directory and then copies to output directory.)Thanks for earlier replies. |
Your welcome. Create a queue, trigger on first, which invokes a shell script that sudos-chmod's the permissions in the directory. Drop a message in the queue when your flow completes.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Sep 18, 2012 4:52 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
That seems a very complex way to achieve a simple requirement.
Here's how we do it.
The directory used by the file node is set up like this
Owner: brokerid:brokergroup <--- a group the broker is a member of but preferably not the mqbrkrs group)
Permissions: drwxr-s---
Then deploy the flow and let the broker create the mqsitransit sub-directories (etc).
We add our brokerid to suitable application groups, so that the files can be accessed by support staff who are also in these application groups. |
|
| Back to top |
|
|
| sanjoo |
| Posted: Fri Sep 21, 2012 1:41 am Post subject: |
|
|
Acolyte
Joined: 26 Oct 2005
Posts: 65
|
Broker service id: xxxxmqsi
AIX 5.3.0.0 SP3
Broker version: 6.1.0.8
. Create group xxxxmq01
. Add user xxxxmqsi to group xxxxmq01.
. Create directory /tmp/Input with owner user id as xxxxmqsi and owner group as xxxxmq01
. Create directory /tmp/Output with owner user id as xxxxmqsi and owner group as xxxxmq01
. chmod 777 /tmp/Input
. chmod g-w /tmp/Output
. chmod g+s /tmp/Output
. Permissions on /tmp/Output ==> drwxr-s---
. Set umask for user xxxxmqsi to “027” if not already set.
. Add export MQSI_UMASK_COPY=1 to broker profile
. Restart broker
When I sudo to broker id and try to create a file in output directory, it is creating with correct previleges (rw-r-----). However through message flow application these privilges are defaulting to 660.
Am I missing anything?
One more thing, APAR IZ07456 for resolving this issue is included in package since 6.1.0.2. We are already at 6.1.0.8.
phew... anyway, have raised a PMR.
Thanks all.
_________________
Sanjoo
Keep smiling
|
|
| Back to top |
|
|
|
|
