Talk About Network

Google


Register and Login
Nick
Password
Register create new account Sign up is FREE and you can post replies, new topics, bookmark posts and more!
Recover lost password


Data Bases > IBM DB2 > Re: concept beh...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 3 of 4 Topic 8833 of 9520
 Post > Topic >>

Re: concept behind in db2 software as root with some files as world executable

by "Dave Hughes" <dave@[EMAIL PROTECTED] > Apr 28, 2008 at 10:04 AM

****va359@[EMAIL PROTECTED]
 wrote:

> Hi ,
> 
>          could someone throw  some light  on   why   do   default
> software  when installed    ( as root   for  creating an instance
> leaves  us with  some  world    accessable directories &  some  world
> executable   files  &  some  world  readable  files   .
> 
> I am  facing  this  issue  on how to explain to Unix  Audit   Team
> how   db2 is ensuring  security  even  after  allowing  such
> permissions   at  software  level  .  if  I give  750 permissions
> to   root  id  software account  then  my  db2 instance links  files
> are giving errors
> 
[snip]

I wouldn't claim to be an expert on security, but I don't see any issue
with world-read or world-exec permissions ... after all, the vast
majority of stuff in /usr/bin has such permissions. I would've thought
the audit team would be more concerned about stuff like world-writeable
dirs, and suid execs, of which there are a few in a DB2 instance home
directory.

For example on my 9.5 Linux installation, the following files are
suid-root and world-executable:

db2inst1 ~/sqllib $ find -user root -perm -u+s,-o+x | xargs ls -l
-r-s--x--x 1 root db2iadm1   26052 2008-04-19 06:48 ./adm/db2cacpy
-r-sr-xr-x 1 root db2iadm1   97623 2008-04-19 06:48 ./adm/db2dasstml
-r-sr-s--x 1 root db2iadm1 1705542 2008-04-19 06:48 ./adm/db2fmpr
-r-sr-s--x 1 root db2iadm1   66586 2008-04-19 06:48 ./adm/db2fmpr32
-r-sr-s--x 1 root db2iadm1   24919 2008-04-19 06:48 ./adm/db2fmpterm
-r-s--x--x 1 root db2iadm1  160916 2008-04-19 06:48 ./adm/db2genp
-r-sr-xr-x 1 root db2iadm1 3857680 2008-04-19 06:48 ./adm/db2havend
-r-sr-xr-x 1 root db2iadm1 3240951 2008-04-19 06:48 ./adm/db2havend32
-r-sr-x--x 1 root db2iadm1  221231 2008-04-19 06:48 ./adm/db2licd
-r-sr-s--x 1 root db2iadm1 1693953 2008-04-19 06:48 ./adm/db2pd
-r-sr-s--x 1 root db2iadm1 2024307 2008-04-19 06:48 ./adm/db2pdcfg
-r-sr-s--x 1 root db2iadm1   39453 2008-04-19 06:48 ./adm/db2start
-r-sr-s--x 1 root db2iadm1   40165 2008-04-19 06:48 ./adm/db2stop
-r-s--x--x 1 root db2iadm1   52313 2008-04-19 06:48 ./security/db2chpw
-r-s--x--x 1 root db2iadm1 3791717 2008-04-19 06:48 ./security/db2ckpw

As for why these permissions are the way they are: in the case of
~db2inst1/sqllib/security/db2ckpw, that's the process used to
authenticate users. It needs to be suid-root in order to read the local
shadow file (likewise, db2chpw needs to be suid-root in order to update
the local shadow file if a user attempts a password change while
connecting).

I suspect it's good practice to have entirely separate, single purpose
executables for this kind of procedure in order to minimize the risk of
buffer overflows and other nasty things. Still, I'd assume an audit
team would be mostly concerned with do***enting and testing things like
this before worrying about world-read / world-exec stuff.


Cheers,

Dave.




 4 Posts in Topic:
concept behind in db2 software as root with some files as
 shiva359@[EMAIL PROTECTED  2008-04-28 05:38:56 
Re: concept behind in db2 software as root with some files
 Serge Rielau <srielau@  2008-04-28 09:25:09 
Re: concept behind in db2 software as root with some files as wo
 "Dave Hughes" &  2008-04-28 10:04:32 
Re: concept behind in db2 software as root with some files
 Darin McBride <dmcbrid  2008-05-01 20:02:24 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
tan12V112 Tue Dec 2 21:13:12 CST 2008.