Hi,

Can anyone help me out of the following issue regarding fenced user permissions and routines that run under fenced user.

Platform - linux
db2 version - db2v95

I have created an instance using the following.

./db2icrt -u db2fenc1 db2inst1

Consider the following scenario.
db2fenc1 - fenced user
db2inst1 - instance owner.
db2inst1@beta5>id db2fenc1
uid=44048(db2fenc1) gid=100(users), groups=100(users),16(dialout),33(video)

db2inst1@beta5>id db2inst1
uid=44049(db2inst1) gid=204(search) groups=204(search),16(dialout),33(video)
db2inst1@beta5>ls -l /home/db2inst1/sqllib/adm/.fenced
-r--r--r-- 1 db2fenc1 users 0 2010-08-11 15:55

Suppose if I change only the group ownership of the /home/db2inst1/sqllib/adm/.fenced to "search".
ie.

root@beta5> chgrp search /home/db2inst1/sqllib/adm/.fenced

db2inst1@beta5>ls -l /home/db2inst1/sqllib/adm/.fenced
-r--r--r-- 1 db2fenc1 search 0 2010-08-11 15:55

Please note - I have only changed the group permission of the .fenced file and not the group of the fenced user(ie db2fenc1).


What is the would be impact of the routines running as fenced before and after the above change.

Based on the information I received from someone who knows fenced stuff well, db2 reads this file in order to find who the owner of db2fmp process is. So, there should not be any impact to routines running as fenced.

However, I found the following mentioned here:
Backup and restore SQL schemas for DB2 Universal Database

"The procedures use the SYSPROC.ADMIN_CMD() stored procedure to export and the SYSPROC.DB2LOAD() stored procedure to load. (SYSPROC.ADMIN_CMD() has been introduced in DB2 V8.2.2 (FP 9). Therefore, V8.2.2 is the minimum version requirement.) SYSPROC.ADMIN_CMD() executes under the fenced user id and group specified by the owner of the sqllib\adm\.fenced file. As a result the exported files have the same owner and group as sqllib\adm\.fenced. Therefore it is important to ensure that the user or group has privileges to write to the specified directories, while the user id expected to access the files also has access. The simple solution is to change ownership of sqllib\adm\.fenced to the instance owner. The safer solution is to have both IDs as members of a shared group and change only the group ownership of sqllib\adm\.fenced to that shared group. This way it is ensured that you can access the produced files through the group membership."

Thanks for your reply, can the fenced routines access the sqllib directory or change any sensitive data which the fenced user is not suppose to change by doing this (ie changing the group of the .fenced file) ?

Sorry, I don't know enough about (fenced) routines to answer your question.

Yes, if not configured properly, that can happen. The user/group membership of the .fenced file defines the authorizations with which the db2fmp (fenced mode process) is running. All operations done inside that process will be checked by the operating system kernel, including file operations. So if the db2fmp is running with an authorization that can change some files under sqllib/, a UDF running in the db2fmp can perform such changes.

Thanks a lot for the reply.

I have another question related to this.

db2inst1@beta5>id db2fenc1
uid=44048(db2fenc1) gid=100(users), groups=100(users),16(search),33(video)


db2inst1@beta5>id db2inst1
uid=44049(db2inst1) gid=204(search) groups=204(search),16(dialout),33(video)

If the fenced user (ie db2fenc1) has a secondary group "search" which is the primary group of the instance owner and has SYSADM authority, will the fenced user also get the SYSADM authority ?