| Author |
Message
|
| williad |
 Posted: Thu Sep 17, 2009 4:03 am Post subject: Error with WMQ RUNMQTRM triggered Application Id command |
 |
|
Apprentice
Joined: 08 Sep 2005
Posts: 40
Location: London
|
Hi
We have WMQ7.0.1.0 installed on a sun solaris server.
The problem we are facing is that we have a trigger monitor started from the Qmgr as a service, and its runs as mqm
We have a perl script that is owned by our UA1 envronment userid ua1eagle. When this perl script is run as that userid, the script runs successfully.
When we run this script as triggered process, we get errors about "Insecure dependency in chdir while running setuid". The line in the perl script it is failing on is just simply "chdir dirname($0) ;"
Now am not sure what is happening, but i thought that seeing as the trigger monitor is running as mqm,this error was happening becuase mqm didnt have permissions to do a chdir in the perl script. But when i log on as mqm, I can run the perl script successfully.
I thought (obviously wrongly) that seeing as i could run the perl script as the mqm user manually (running the same command as used in the process definition application Id) it would work when run by the trigger monitor.
any help would be gratefully appreciated. |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Thu Sep 17, 2009 4:09 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hmmm, well, please try adding chmod s+ug to the script. That will set the effective user as the owning user and keep the group the same for any file created.
I don't know that it will help, but worth a shot. |
|
| Back to top |
|
|
| happyj |
| Posted: Thu Sep 17, 2009 4:16 am Post subject: |
|
|
Voyager
Joined: 07 Feb 2005
Posts: 87
|
are you running the trigger monitor as a service from within the qmgr
or as an external process ? |
|
| Back to top |
|
|
| williad |
| Posted: Thu Sep 17, 2009 5:29 am Post subject: |
|
|
Apprentice
Joined: 08 Sep 2005
Posts: 40
Location: London
|
Hi
Running it as a service from the Qmgr |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 17, 2009 5:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The important bit about that warning message is the "while running setuid".
See the perlsec manpage and consider using -Uw on your command line. |
|
| Back to top |
|
|
| williad |
| Posted: Thu Sep 17, 2009 6:18 am Post subject: |
|
|
Apprentice
Joined: 08 Sep 2005
Posts: 40
Location: London
|
Hi
Thanks for that i used the -Uw options
and i think it got further than before.
but i think it is now failing to find executables used within the perl script.
Normally the PATH variable would have these locations defined. And it does for the environment userid
but i think that when the trigger monitor is running as mqm, and triggers the perl script, the PATH variable is not used, or is not set.
Do i need to set the mqm .profile to have the correct locations for the executables, and restart the Qmgr. so that when the trigger monitor starts it will have the PATH defined and hence when the script is triggered it will work, or is there another way to get the PATH variable defined so that the triggered script can see it and hence execute properly. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 17, 2009 6:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Your best bet, and this may avoid the setuid in the first place (it's hard to tell) is to have the PROCESS defintion point to a script that runs the perl script, rather than having the Process definition run the perl script in the first place.
Then you can do whatever you need to do for that specific perl process and have complete control over the environment and etc. etc. etc. |
|
| Back to top |
|
|
| williad |
| Posted: Thu Sep 17, 2009 8:54 am Post subject: |
|
|
Apprentice
Joined: 08 Sep 2005
Posts: 40
Location: London
|
HI
Thanks for that. DId that where we have a script now that exports the PATH and LD_LIBRARY_PATH and runs the perl with the -uW and i think were getting further now, but now hitting a problem which is even baffling our unix admin guys.
below is a section of debug output from the perl script when it was run via the trigger monitor, as you can see the PATH and LD_LIBRARY_PATH are set and the id command was run by the perl script and it shows that the script runs as ua1eagle but its effective userid is mqm (so am told). assume it is this because the runmqtrm is owned by mqm and its sticky bits are set.
the output below shows the ldd command output on one of the executables the perl script runs, as you can see there are sections where it states (file not found) this we think is why the script is not working.
If you look at the LD_LIBRARY_PATH you can see there is a /users/ua1/aifg/aifg4341/lib and that is where the library files that are shown as not found resides, and they are actually there.
If we run the same ldd command when logged on as the mqm userid, the librarys are found, and the script works
so i dont understand, that if the variables are correct, why when run as a triggered process it cant find the librarys it says that are missing.
PATH = /users/ua1/aifg/aifg4341/tools:/users/ua1/aifg/aifg4341/bin:/users/ua1/taviz/bin:/users/ua1/taviz/bin:/users/ua1/taviz/schrod
ers/script:/users/ua1/aifg/aifg4341/tools:/users/ua1/aifg/aifg4341/bin:/opt/soe/local/bin:/usr/sbin:/ua1/dmh/ora01/app/oracle/produc
t/10.2.0/bin:/usr/openwin/bin:/usr/local/bin:/usr/bin:/users/ua1/eagle/bin:.
LD_LIBRARY_PATH = /users/ua1/aifg/aifg4341/lib:/users/ua1/taviz/lib:/users/ua1/aifg/aifg4341/lib:/ua1/dmh/ora01/app/oracle/product/1
0.2.0/lib:/ua1/dmh/ora01/app/oracle/product/10.2.0/lib32:/usr/local/lib:/usr/lib:/usr/openwin/lib:.
LOGNAME = ua1eagle
USER = ua1eagle
id = uid=2003(ua1eagle) gid=2000(eagle) euid=2200(mqm) egid=2200(mqm)
ldd = libresolv.so.2 => /lib/libresolv.so.2
libthread.so.1 => /lib/libthread.so.1
libunzip.so => (file not found)
libzip.so => (file not found)
libxerces-c1_7_0.so => (file not found)
libgwbase.so => (file not found)
libmqm.so => /usr/lib/libmqm.so
libCstd.so.1 => /usr/lib/libCstd.so.1
libCrun.so.1 => /usr/lib/libCrun.so.1
libm.so.1 => /lib/libm.so.1
libc.so.1 => /lib/libc.so.1
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libmqmcs.so => /opt/mqm/lib/libmqmcs.so
libmqmzse.so => /opt/mqm/lib/libmqmzse.so
librt.so.1 => /usr/lib/librt.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmqz.so => /opt/mqm/lib/libmqz.so
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libaio.so.1 => /lib/libaio.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,T5240/lib/libc_psr.so.1
/platform/SUNW,T5240/lib/libmd_psr.so.1 |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 17, 2009 9:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I don't see anything that I personally can identify as the Perl lib directory on those paths?
You may want to modify your script to sudo the perl script as the user. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Thu Sep 17, 2009 12:05 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
As you are using the 'ldd' command, the following is interesting and needs to be resolved before the app will run properly.
| Code: |
ldd ...
....
libzip.so => (file not found)
libxerces-c1_7_0.so => (file not found)
...
|
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| gunter |
| Posted: Thu Sep 17, 2009 12:54 pm Post subject: |
|
|
Partisan
Joined: 21 Jan 2004
Posts: 307
Location: Germany, Frankfurt
|
LD_LIBRARY_PATH has no effect if a process started with suid.
One solution: start a copy of runmqtrm by the right user.
An other solution is to put the libraries in a default location(/lib or /usr/lib).
_________________
Gunter Jeschawitz
IBM Certified System Administrator - Websphere MQ, 5.3 |
|
| Back to top |
|
|
| williad |
| Posted: Fri Sep 18, 2009 7:30 am Post subject: |
|
|
Apprentice
Joined: 08 Sep 2005
Posts: 40
Location: London
|
Thanks for that
It worked nicely when we moved the libraries to the /lib directory 
Thank you all for your help  |
|
| Back to top |
|
|
|
|
