ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » file permission 666 on AIX

Post new topic  Reply to topic
 file permission 666 on AIX « View previous topic :: View next topic » 
Author Message
Manishkj
PostPosted: Sun Dec 09, 2001 7:32 pm    Post subject: Reply with quote

Newbie

Joined: 11 Nov 2001
Posts: 9

Hello
We are using MQ 5.0 on AIX 4.3.2.
We have noticed that error files created by mq i.e AMQERR*.LOG is owned by mqm and with file permissioon 666 as shown below. There are many other files in the system which are owned by mqm with access permision 666
-rw-rw-rw- 1 mqm mqm 220620 Dec 10 03:00 AMQERR01.LOG.

Recently we have a comment from auditiors that thare should be no world writable file as part of security policy.
I would like to know how file permission are set for these files which are owned by mqm and is there any paramater/setting etc where default behaviour can be changed. If we remove the world writable permission from the existing files what can be the effects.
Back to top
View user's profile Send private message
kolban
PostPosted: Sun Dec 09, 2001 9:14 pm    Post subject: Reply with quote

Grand Master

Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA

Wow!!! At first I thought there may have been something in error with your configuration, but on my Linux box, I too see the same thing. If this is the reality and MQ created files have public write permissions, I believe that this should be an immediate defect and resolved as quickly as possible. I can think of all manner of problems with this scenario.
Back to top
View user's profile Send private message
dgolding
PostPosted: Wed Dec 12, 2001 1:05 am    Post subject: Reply with quote

Yatiri

Joined: 16 May 2001
Posts: 668
Location: Switzerland

Surely the permissions are like that so a non-MQM group member can write an entry to the error log.....
Back to top
View user's profile Send private message Visit poster's website
bduncan
PostPosted: Wed Dec 12, 2001 10:12 pm    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Why? The applications that talk with MQSeries don't write messages to the MQSeries logs. The only processes that are writing to these files are those that comprise the queue manager and its support applications (listeners, channel initiators, etc...) and these all should be running as mqm or someone in the mqm group. It's funny - I've used MQSeries on AIX for a few years and never noticed the 666 thing...

_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
Tibor
PostPosted: Wed Dec 12, 2001 10:29 pm    Post subject: Reply with quote

Grand Master

Joined: 20 May 2001
Posts: 1033
Location: Hungary

(haha)

Just for fun, AMQERR0?.LOG files are set to 666 on HP-UX, also. Plus, there are FDC files in /var/mqm/errors, owned by an non-mqm user, who right for some queues. In these files content the next message:

...
Component :- xcsDisplayMessageForSubpool
...
Probe Description :- AMQ6119: An internal MQSeries error has occurred ('13 - Permission denied' from open.)
...
File Name
7f7f4250 2F766172 2F6D716D 2F716D67 72732F56 /var/mqm/qmgrs/V
7f7f4260 415A4F4E 2F657272 6F72732F 414D5145 AZON/errors/AMQE
7f7f4270 52523033 2E4C4F47 RR03.LOG
...


Moreover:


-rw-rw-rw- 1 nikovits mqm 66360 Dec 10 18:09 AMQERR01.LOG
-rw-rw-rw- 1 nikovits mqm 256445 Dec 10 17:50 AMQERR02.LOG
-rw-rw-rw- 1 mqm mqm 256058 Dec 10 17:04 AMQERR03.LOG


I know there was 'conversion error' with this user's application, but why it want to overwrite AMQ* files?
Back to top
View user's profile Send private message
Manishkj
PostPosted: Fri Jan 18, 2002 3:43 am    Post subject: Reply with quote

Newbie

Joined: 11 Nov 2001
Posts: 9

I finally managed to get the reply from ibm. Following is their reply.
"We strongly recommand not to change the permissions of these        
directories. The permissions are set after a careful study and as such
does not pose a security threat.                                      
.                                                                      
The directories and files above are accessed by applications which may
be running under a user ID which is not mqm and does not belong to the
mqm group. The directories and files have owner:group set to mqm:mqm.  
The applications need to access these directories and files to use    
MQ shared resources, e.g. dir /var/mqm/errors and file AMQERR0123 .LOG,
and MQ trace, dir /var/mqm/trace.                                      
Such applications are user-written MQI applications.  
 @ipcc directories and  files are zero byte files and only required by the Qmgr and the contents
of these files has no bearing on the functioning of the Qmgr.  As        
explained above 'error' directories and files are accessed by non-mqm    
application groups. For eg: To take a  trace of the non-mqm application  
process, to log a error message by a non-mqm application process etc.   "
Back to top
View user's profile Send private message
bduncan
PostPosted: Fri Jan 18, 2002 2:00 pm    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Thanks for the update... Well, I learned something new. I never thought that non-mqm applications connected to the queue manager would write to the error logs directly.

_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » file permission 666 on AIX
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.