ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Securityroot user, member of mqm group throws unauthorized errors.

Post new topicReply to topic
root user, member of mqm group throws unauthorized errors. View previous topic :: View next topic
Author Message
cra1gl1
PostPosted: Fri Aug 03, 2018 8:38 am Post subject: root user, member of mqm group throws unauthorized errors. Reply with quote

Apprentice

Joined: 25 Apr 2018
Posts: 30

Hello experts,

I thought any user, if member of mqm group has full admin rights to tthe qmgr. Is this wrong ? could someone explain please?


I have added root to mqm group and tried to run some admin commands. crtmqm, endmqm, dltqm fail with unauthorized errors. However, runmqsc works fine.

#whoami
root

#groups root
root: root mqm

#dspmq
QMNAME(QM1) STATUS(RUNNING)

#endmqm QM1
AMQ7077E: You are not authorized to perform the requested operation.

#crtmqm QM2
AMQ7077E: You are not authorized to perform the requested operation

# echo "define ql(TESTQ)" | runmqsc QM1

5724-H72 (C) Copyright IBM Corp. 1994, 2018.
Starting MQSC for queue manager QM1.


1 : define ql(TESTQ)
AMQ8006I: IBM MQ queue created.
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Aug 03, 2018 9:34 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25266
Location: Ohio, USA

What version of MQ?

Does the user profile of root properly set the MQ environment?

Do you really want the root user in the mqm group? Why not have the root user sudo to the mqm user so at least you've got some audit?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
cra1gl1
PostPosted: Fri Aug 03, 2018 10:03 am Post subject: Reply with quote

Apprentice

Joined: 25 Apr 2018
Posts: 30

Vitor wrote:
What version of MQ?

9.0.5

Vitor wrote:
Does the user profile of root properly set the MQ environment?

Not sure how to verify this, but i get this for dspmqinst
# dspmqinst
InstName: Installation1
InstDesc:
Identifier: 1
InstPath: /opt/mqm
Version: 9.0.5.0
Primary: Yes
State: Available

Vitor wrote:
Do you really want the root user in the mqm group? Why not have the root user sudo to the mqm user so at least you've got some audit?

I'm just testing how the authorizations work.
Back to top
View user's profile Send private message
mvic
PostPosted: Fri Aug 03, 2018 10:25 am Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2050

Are there any error messages in qmgr or system error logs?
Back to top
View user's profile Send private message
cra1gl1
PostPosted: Fri Aug 03, 2018 11:17 am Post subject: Reply with quote

Apprentice

Joined: 25 Apr 2018
Posts: 30

mvic wrote:
Are there any error messages in qmgr or system error logs?

None.
Back to top
View user's profile Send private message
mvic
PostPosted: Fri Aug 03, 2018 1:59 pm Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2050

This looks like a bug to me.
Anyway....
On a box of any importance, it's advisable NOT to login as root and run stuff.
Even on a box of little importance, avoiding running as root is still a way to avoid messing stuff up with a slip of the fingers.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Aug 04, 2018 2:20 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19758
Location: LI,NY

cra1gl1 wrote:
mvic wrote:
Are there any error messages in qmgr or system error logs?

None.

Did you use refresh security on the qmgr after adding root to the mqm group?
Did you log out and log back in as root?

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gbaddeley
PostPosted: Sun Aug 05, 2018 4:21 pm Post subject: Reply with quote

Padawan

Joined: 25 Mar 2003
Posts: 1887
Location: Melbourne, Australia

Why would you *ever* want root to be in the mqm group?
If you need to run MQ commands from root, use su - mqm.
_________________
Glenn
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Aug 07, 2018 10:56 am Post subject: Re: root user, member of mqm group throws unauthorized error Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3072
Location: London, ON Canada

cra1gl1 wrote:
I have added root to mqm group ...

That is an incredibly bad idea. Un-do what you did and do as Glen said, use "su - mqm" command.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
PeterPotkay
PostPosted: Tue Aug 07, 2018 4:33 pm Post subject: Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7463

Good advice all around regarding not adding root into the mqm group.

But, its still interesting why root as a member of the mqm group can't issue those control commands.

If you create a new user call notroot (or maybe iamgroot) and add that to the mqm group, do you see the same problem?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Securityroot user, member of mqm group throws unauthorized errors.
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.