ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Security on files crated by Filenode

Post new topic  Reply to topic
 Security on files crated by Filenode « View previous topic :: View next topic » 
Author Message
KIT_INC
PostPosted: Fri Feb 19, 2010 1:10 pm    Post subject: Security on files crated by Filenode Reply with quote

Knight

Joined: 25 Aug 2006
Posts: 589
I am using WMB 16 on unix CSD5. Our developers just start testing the file node. The broker runs with Id brokerId and the primary group of brokerId is mqm.
The file created by the Filenode is
-rw-rw---- 1 brokerid mqm 155 Jan 29 11:42 FTP_OUT.txt

The devlopers is not able to read the output unless we give their Id as part of the mqm group or the broker's group.

I will do some more investigate from UNIX file security side. Meanwhile does anyone has any previouse experience on how to get around this?
Is there a way to get the FileNode to create files using a different Id ?
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Feb 19, 2010 1:36 pm    Post subject: Re: Security on files crated by Filenode Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
KIT_INC wrote:
I will do some more investigate from UNIX file security side. Meanwhile does anyone has any previouse experience on how to get around this?


Write the file to a directory where the Unix property umask allows the developers access
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
smdavies99
PostPosted: Fri Feb 19, 2010 1:50 pm    Post subject: Re: Security on files crated by Filenode Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
Vitor wrote:

Write the file to a directory where the Unix property umask allows the developers access


Ah. umask. That little understood feature of Unix/Linux.
Even a few Unix Sysadmins I have worked with don't understand umask. Especially when allowing uses READ only access to Log Files.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
davecrighton
PostPosted: Wed Mar 03, 2010 9:44 am    Post subject: Reply with quote

Novice

Joined: 13 Jun 2007
Posts: 12
The Broker FileOutput node so the exact permissions will be determined by the unix dir settings in combination with the Broker processes umask.

The Broker sets its umask(6) on startup however since 6102 you can set MQSI_UMASK_COPY=1 in the mqsiprofile meaning the Broker will honour umasks which would result in file permissions more permissive than rw--rw--.
Back to top
View user's profile Send private message
joebuckeye
PostPosted: Thu Mar 04, 2010 6:28 am    Post subject: Reply with quote

Partisan

Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
As long as the group of the directory where the files are dropped is accessible to the developers just set the directory's group sticky bit. This will force any files the broker creates in that directory to have the same group as the directory. And this will allow your devs access to the file within having to put them into the mqm or broker group.

For example, set the group of the directory to app-dev (or whatever).

Code:
chgrp app-dev .
(from within the directory)

And then make sure your devs are in this group also (use the groups command to check). Then set the sticky group bit on the directory with the chmod command:

Code:
chmod g+s .
(from within the directory)

From this time forward any new files the broker creates in this directory will have the group app-dev (or whatever you set it to). And as long as your devs belong to the app-dev group they will have access to any new files created in that directory.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Security on files crated by Filenode
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.