| Author |
Message
|
| mqnomad |
 Posted: Mon Mar 29, 2010 9:17 am Post subject: Need to confirm exposure interpreted correctly |
 |
|
Acolyte
Joined: 18 Mar 2010
Posts: 53
|
Using MQ V6.0 - read T.Rob's article at
http://www.ibm.com/developerworks/websphere/techjournal/0711_col_wyatt/0711_col_wyatt.html
I believe to have found a major exposure for an application, but having been away from MQ for a while would appreciate some concurrence before I put the results in writing. I believe this system is wide open - do you agree?
1. AIX system.
2. /etc/group shows the root user a member of the mqm and mqbrks groups.
3. Channels: MCAUSER in all channels is ... blank.
4. DIS CHSTAT shows all channels running with MCAUSER(root) !
5. Partial setmqaut's saved from the MS03 pack for SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.DEFAULT.INITIATION.QUEUE follows:
xxx -n 'SYSTEM.DEFAULT.INITIATION.QUEUE' -t queue -g mqm +browse +chg +clr +dlt +dsp +get +inq +put +passall +passid +set +setall +setid
xxxx 'SYSTEM.ADMIN.COMMAND.QUEUE' -t queue -g mqm +browse +chg +clr +dlt +dsp +get +inq +put +passall +passid +set +setall +setid
Appreciate your thoughts/concurrence. Thanks.
mqnomad |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Mon Mar 29, 2010 3:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
#2 Root does not need to be a member of those groups.
#3 That is the reason you have no MQ security to speak off, no matter what else you do.
#4 Along with all your incoming channels being defined without an MCAUSER value, did someone start this QM and Listener as root?
#5 Nothing wrong there. The mqm group will always have full access to these queues and there is nothing you can do to remove it.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqnomad |
| Posted: Mon Mar 29, 2010 4:31 pm Post subject: |
|
|
Acolyte
Joined: 18 Mar 2010
Posts: 53
|
Thanks Peter ... so
- remove root from the mqm group and
- don't leave MCAUSER blank - possibly create the groups as shown on T-Rob's paper.
Thanks again,
mqnomad |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Mar 29, 2010 6:24 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
That's a start.  But you will be MUCH better off than you are now.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Mar 29, 2010 7:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| That's a start. But you will be MUCH better off than you are now. |
 If you read T-Rob correctly between the lines you will also make sure that all SVRCONN have SSL (preferably using SSL peer) and that all connected qmgrs are set up the same for security.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqnomad |
| Posted: Mon Mar 29, 2010 9:07 pm Post subject: |
|
|
Acolyte
Joined: 18 Mar 2010
Posts: 53
|
|
| Back to top |
|
|
|
|
