The subdirectory tree needs to be owned by root.Ĥ.b) The $MQ_INSTALLATION_PATH/bin/security is a new subdirectory added in MQ 8.0. * Permissions and ownerships of these files should not be modified.Ĥ) There are 2 cases which need to be discussed separately.Ĥ.a) The subdirectory "maintenance" is used to store a backup of files after a Fix Pack is applied. * MQ setuid/setgid programs do not cause any security threat to the system.
#MQM COM LICENSE#
These are simple text files containing "International Program License Agreement", which will not be read or used by any of the queue manager processes. Why are the files under /opt/mqm/licenses world-writable? We would like to reiterate that the permissions and ownerships do not pose any security threat to the system.ģ. MQ functionality may suffer due to this kind of change, such that queue manager processes my fail to access some of the resources. Is it possible to change the permissions to satisfy our security policy without jeopardizing MQ functionality?Ĭhanging the permissions and ownerships of any of the MQ binaries and libraries should not be done. With the ability to grant different levels of authentications for users and the fact that setuid/setgid programs ignore LD* variables, the MQ binary/library files do not compromise a system's security in any way.Ģ. To help non-administrative users accessing MQ objects, MQ provides an Object Authority Manager (OAM) facility where authorities can be granted/revoked on the need of the application executed by the non-administrative user. Hence, MQ queue manager support processes are designed to run with the effective user-id of "mqm". Since the queue manager processes use and modify these queue manager resources, the queue manager processes will require "mqm" authority to access the resources. MQ queue manager resources are protected by authenticating against this user. In MQ, the user id "mqm" and any ID which is a part of "mqm" group are the MQ administrative users. Why are some of the MQ programs mqm-setuid/setgid? Hence, the setuid/setgid programs for MQ are not really a concern.ġ. In the case of AIX, the LIBPATH is ignored. But, this is no longer a concern as various UNIX operating systems (Solaris, HP, AIX, Linux) now ignore these LD* environment variables when loading setuid programs. One of the concerns on UNIX with respect to setuid programs was that the system security could be compromised by manipulating environment variables such as LD* (LD_LIBRARY_PATH, LIBPATH on AIX, etc). Practically all the directories and files are owned by "mqm:mqm" except for the following, which are owned by root:ĭr-xr-x- 1 root mqm 48 Jun 30 08:06 /opt/mqm/bin/security Note: "." was used above to shorten the ls output.Ĥ. rwxrwxrwx 1 mqm mqm 5.6 /opt/mqm/licenses/English.txt Files in /opt/mqm/licenses are world-writable. User does not own files in /opt/mqm/lib/iconv directory. r-sr-sr-x 1 mqm mqm 6.6 /opt/mqm/lib64/amqccgskĢ. r-sr-sr-x 1 mqm mqm 5.6 /opt/mqm/lib/amqccgsk r-sr-s- 1 mqm mqm 2.6 /opt/mqm/bin/amqcrsta_nd Files in /opt/mqm/bin,lib,lib64 directories are setuid for the owner of the directory tree where they reside. Your security team has identified the following areas of concern under $MQ_INSTALLATION_PATH:ġ.
0 kommentar(er)
