| Author |
Message
|
| cra1gl1 |
 Posted: Fri Aug 03, 2018 8:38 am Post subject: root user, member of mqm group throws unauthorized errors. |
 |
|
Apprentice
Joined: 25 Apr 2018
Posts: 30
|
Hello experts,
I thought any user, if member of mqm group has full admin rights to tthe qmgr. Is this wrong ? could someone explain please?
I have added root to mqm group and tried to run some admin commands. crtmqm, endmqm, dltqm fail with unauthorized errors. However, runmqsc works fine.
#whoami
root
#groups root
root: root mqm
#dspmq
QMNAME(QM1) STATUS(RUNNING)
#endmqm QM1
AMQ7077E: You are not authorized to perform the requested operation.
#crtmqm QM2
AMQ7077E: You are not authorized to perform the requested operation
# echo "define ql(TESTQ)" | runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2018.
Starting MQSC for queue manager QM1.
1 : define ql(TESTQ)
AMQ8006I: IBM MQ queue created.
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Aug 03, 2018 9:34 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
What version of MQ?
Does the user profile of root properly set the MQ environment?
Do you really want the root user in the mqm group? Why not have the root user sudo to the mqm user so at least you've got some audit?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cra1gl1 |
| Posted: Fri Aug 03, 2018 10:03 am Post subject: |
|
|
Apprentice
Joined: 25 Apr 2018
Posts: 30
|
| Vitor wrote: |
| What version of MQ? |
9.0.5
| Vitor wrote: |
| Does the user profile of root properly set the MQ environment? |
Not sure how to verify this, but i get this for dspmqinst
# dspmqinst
InstName: Installation1
InstDesc:
Identifier: 1
InstPath: /opt/mqm
Version: 9.0.5.0
Primary: Yes
State: Available
| Vitor wrote: |
| Do you really want the root user in the mqm group? Why not have the root user sudo to the mqm user so at least you've got some audit? |
I'm just testing how the authorizations work. |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Aug 03, 2018 10:25 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Are there any error messages in qmgr or system error logs? |
|
| Back to top |
|
|
| cra1gl1 |
| Posted: Fri Aug 03, 2018 11:17 am Post subject: |
|
|
Apprentice
Joined: 25 Apr 2018
Posts: 30
|
| mvic wrote: |
| Are there any error messages in qmgr or system error logs? |
None. |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Aug 03, 2018 1:59 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
This looks like a bug to me.
Anyway....
On a box of any importance, it's advisable NOT to login as root and run stuff.
Even on a box of little importance, avoiding running as root is still a way to avoid messing stuff up with a slip of the fingers. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 04, 2018 2:20 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| cra1gl1 wrote: |
| mvic wrote: |
| Are there any error messages in qmgr or system error logs? |
None. |
Did you use refresh security on the qmgr after adding root to the mqm group?
Did you log out and log back in as root?
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Aug 05, 2018 4:21 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Why would you *ever* want root to be in the mqm group?
If you need to run MQ commands from root, use su - mqm.
_________________
Glenn |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Aug 07, 2018 10:56 am Post subject: Re: root user, member of mqm group throws unauthorized error |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| cra1gl1 wrote: |
| I have added root to mqm group ... |
That is an incredibly bad idea. Un-do what you did and do as Glen said, use "su - mqm" command.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Aug 07, 2018 4:33 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Good advice all around regarding not adding root into the mqm group.
But, its still interesting why root as a member of the mqm group can't issue those control commands.
If you create a new user call notroot (or maybe iamgroot) and add that to the mqm group, do you see the same problem?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
