| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| runmqtrm security |
« View previous topic :: View next topic » |
| Author |
Message
|
| tkane |
 Posted: Wed May 05, 2004 7:04 pm Post subject: runmqtrm security |
 |
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
Hi,
Currently all of our applications that are running the Unix trigger monitor are starting it under the mqm id. With the existing binary you need to be at least in the mqm group to run it.
One of the downsides is that you're basically giving away mqm authority. Triggered processes are often shell scripts to start java or do other housekeeping and what's to stop a malicious person from inserting a crtmqm or endmqm or even updating one of the product binaries.
What I'm wondering is if people are successfully running it with a copy of the /usr/mqm/bin/runmqtrm having changed the permissions from -r-sr-s-- to -r-xr-xr-x ?
I've run some tests and it seems to work, but nothing complete.
Would IBM support it? I don't have a big enough group to support our own C trigger monitor. I know people will suggest that.
I think IBM explained this away at a tech conference that I was at a few years ago as saying that they simply replicated permissions down thru the binaries, strmqm was setuid, so runmqtrm ended up that way.
TIA
Tom |
|
| Back to top |
|
 |
| mqonnet |
| Posted: Mon May 10, 2004 11:48 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
I would try and answer this one.
Some of the Unix flavoured platforms have this benefit of assigning access authorities on an executable basis. You could chmod, chown etc. And on others you have respective commands.
You can very well grant/revoke permissions as you like on any mq objects, as far as i understand. Or else you would end up with a big secuirty hole if you allowed access to everybody.
To sum up, yes, you can have specific permissions on specific mq objects so as to enable only specific user/groups to access the executable.
Also on this note, you could as well, secure MQ objects, queues, processes etc. using setmqaut's and other features provided by the platform.
As for IBM supporting it. I dont think why IBM shouldnt. You are just securing an executable.
Hope this helps.
Cheers
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| Neysa |
| Posted: Wed May 12, 2004 3:50 am Post subject: |
|
|
Newbie
Joined: 28 Nov 2002
Posts: 7
Location: Netherlands
|
In general I can think of a reason why it might not be supported. With setuid the proces will have mqm as owner, with -r-xr-xr-x it runs with the user who started it as the owner. For some processes this might not work (properly), and will therefore not be supported.
In this specific case of the triggermonitor I think you're right.
Agnes |
|
| Back to top |
|
|
| tkane |
| Posted: Fri May 14, 2004 10:10 am Post subject: |
|
|
Voyager
Joined: 23 Dec 2002
Posts: 82
Location: Kansas City
|
Well, I opened a PMR and asked IBM and they said that they would support it. So now I just have to get it implemented for my applications.
The trigger monitor is just a fairly simple application. There are category 4 supportPACs that provide more functionality as well.
Thanks for thinking about this.
Tom |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
