| Author |
Message
|
| Manishkj |
 Posted: Sun Dec 09, 2001 7:32 pm Post subject: |
 |
|
Newbie
Joined: 11 Nov 2001
Posts: 9
|
Hello
We are using MQ 5.0 on AIX 4.3.2.
We have noticed that error files created by mq i.e AMQERR*.LOG is owned by mqm and with file permissioon 666 as shown below. There are many other files in the system which are owned by mqm with access permision 666
-rw-rw-rw- 1 mqm mqm 220620 Dec 10 03:00 AMQERR01.LOG.
Recently we have a comment from auditiors that thare should be no world writable file as part of security policy.
I would like to know how file permission are set for these files which are owned by mqm and is there any paramater/setting etc where default behaviour can be changed. If we remove the world writable permission from the existing files what can be the effects. |
|
| Back to top |
|
 |
| kolban |
| Posted: Sun Dec 09, 2001 9:14 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
| Wow!!! At first I thought there may have been something in error with your configuration, but on my Linux box, I too see the same thing. If this is the reality and MQ created files have public write permissions, I believe that this should be an immediate defect and resolved as quickly as possible. I can think of all manner of problems with this scenario. |
|
| Back to top |
|
|
| dgolding |
| Posted: Wed Dec 12, 2001 1:05 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
| Surely the permissions are like that so a non-MQM group member can write an entry to the error log..... |
|
| Back to top |
|
|
| bduncan |
| Posted: Wed Dec 12, 2001 10:12 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Why? The applications that talk with MQSeries don't write messages to the MQSeries logs. The only processes that are writing to these files are those that comprise the queue manager and its support applications (listeners, channel initiators, etc...) and these all should be running as mqm or someone in the mqm group. It's funny - I've used MQSeries on AIX for a few years and never noticed the 666 thing...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| Tibor |
| Posted: Wed Dec 12, 2001 10:29 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
(haha)
Just for fun, AMQERR0?.LOG files are set to 666 on HP-UX, also. Plus, there are FDC files in /var/mqm/errors, owned by an non-mqm user, who right for some queues. In these files content the next message:
...
Component :- xcsDisplayMessageForSubpool
...
Probe Description :- AMQ6119: An internal MQSeries error has occurred ('13 - Permission denied' from open.)
...
File Name
7f7f4250 2F766172 2F6D716D 2F716D67 72732F56 /var/mqm/qmgrs/V
7f7f4260 415A4F4E 2F657272 6F72732F 414D5145 AZON/errors/AMQE
7f7f4270 52523033 2E4C4F47 RR03.LOG
...
Moreover:
-rw-rw-rw- 1 nikovits mqm 66360 Dec 10 18:09 AMQERR01.LOG
-rw-rw-rw- 1 nikovits mqm 256445 Dec 10 17:50 AMQERR02.LOG
-rw-rw-rw- 1 mqm mqm 256058 Dec 10 17:04 AMQERR03.LOG
I know there was 'conversion error' with this user's application, but why it want to overwrite AMQ* files?
|
|
| Back to top |
|
|
| Manishkj |
| Posted: Fri Jan 18, 2002 3:43 am Post subject: |
|
|
Newbie
Joined: 11 Nov 2001
Posts: 9
|
I finally managed to get the reply from ibm. Following is their reply.
"We strongly recommand not to change the permissions of these    Â
directories. The permissions are set after a careful study and as such
does not pose a security threat. Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
. Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
The directories and files above are accessed by applications which may
be running under a user ID which is not mqm and does not belong to the
mqm group. The directories and files have owner:group set to mqm:mqm. Â
The applications need to access these directories and files to use  Â
MQ shared resources, e.g. dir /var/mqm/errors and file AMQERR0123 .LOG,
and MQ trace, dir /var/mqm/trace. Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
Such applications are user-written MQI applications. Â
 @ipcc directories and  files are zero byte files and only required by the Qmgr and the contents
of these files has no bearing on the functioning of the Qmgr.  As    Â
explained above 'error' directories and files are accessed by non-mqm  Â
application groups. For eg: To take a  trace of the non-mqm application Â
process, to log a error message by a non-mqm application process etc. Â "
|
|
| Back to top |
|
|
| bduncan |
| Posted: Fri Jan 18, 2002 2:00 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Thanks for the update... Well, I learned something new. I never thought that non-mqm applications connected to the queue manager would write to the error logs directly.
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
|
|
