ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ API Support » Anybody able to run progs under a different user ID (setuid)

Post new topic  Reply to topic
 Anybody able to run progs under a different user ID (setuid) « View previous topic :: View next topic » 
Author Message
jsware
PostPosted: Mon Sep 22, 2003 6:43 am    Post subject: Anybody able to run progs under a different user ID (setuid) Reply with quote

Chevalier

Joined: 17 May 2001
Posts: 455
I am trying to write an application on AIX to allow non-mqm users to inquire on the status of an MQ Cluster. I have written a C++ application that uses the MQAI to send PCF commands to the command server. This runs fine under a user who is a member of the mqm group (i.e. me.).

In order to allow non-mqm users to run the program I thought that I could make the program a setuid program by changing the attributes thus:

chmod ug+s myprog

However the program still gets not-authorised when attempting to connect under a non-mqm user. I have tried using the setuid and setgid system calls within the program but am not sure how to get this to work.

Does anybody have any pointers?
Back to top
View user's profile Send private message
lillo
PostPosted: Mon Sep 22, 2003 6:58 am    Post subject: Reply with quote

Master

Joined: 11 Sep 2001
Posts: 224
You have there two security issues. The first security is related to your OS. You already solved that problem.

Your next problem is the MQSeries security. The end-user should be on the mqm group or give the correspond authority to the user to connect and use the necessary mqseries objects.
_________________
Lillo
IBM Certified Specialist - WebSphere MQ
Back to top
View user's profile Send private message
mrlinux
PostPosted: Mon Sep 22, 2003 9:45 am    Post subject: Reply with quote

Grand Master

Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
what is the ownership ID and group of the program you set the uid bit on ??
_________________
Jeff

IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries
Back to top
View user's profile Send private message Send e-mail
jsware
PostPosted: Wed Sep 24, 2003 8:22 am    Post subject: Reply with quote

Chevalier

Joined: 17 May 2001
Posts: 455
The user/group of the program that has setuid bits on is mqm:mqm.

However, I find that under MQ5.3, IBM have changed the OAM so that it always checks the real user ID. Previously, for programs that were not associated with a shell (e.g. daemons or stuff run from cron I assume) the effective user ID was used.

This indicates to me that the setuid bits of my program are being ignored because I cannot change the real user ID.

Cheers
John.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ API Support » Anybody able to run progs under a different user ID (setuid)
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.