Results 1 to 6 of 6
  1. #1
    Join Date
    Sep 2010
    Posts
    3

    Unanswered: fenced user and the .fenced file

    Hi,

    Can anyone help me out of the following issue regarding fenced user permissions and routines that run under fenced user.

    Platform - linux
    db2 version - db2v95

    I have created an instance using the following.

    ./db2icrt -u db2fenc1 db2inst1

    Consider the following scenario.
    db2fenc1 - fenced user
    db2inst1 - instance owner.
    db2inst1@beta5>id db2fenc1
    uid=44048(db2fenc1) gid=100(users), groups=100(users),16(dialout),33(video)

    db2inst1@beta5>id db2inst1
    uid=44049(db2inst1) gid=204(search) groups=204(search),16(dialout),33(video)
    db2inst1@beta5>ls -l /home/db2inst1/sqllib/adm/.fenced
    -r--r--r-- 1 db2fenc1 users 0 2010-08-11 15:55

    Suppose if I change only the group ownership of the /home/db2inst1/sqllib/adm/.fenced to "search".
    ie.

    root@beta5> chgrp search /home/db2inst1/sqllib/adm/.fenced

    db2inst1@beta5>ls -l /home/db2inst1/sqllib/adm/.fenced
    -r--r--r-- 1 db2fenc1 search 0 2010-08-11 15:55

    Please note - I have only changed the group permission of the .fenced file and not the group of the fenced user(ie db2fenc1).


    What is the would be impact of the routines running as fenced before and after the above change.

  2. #2
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    Based on the information I received from someone who knows fenced stuff well, db2 reads this file in order to find who the owner of db2fmp process is. So, there should not be any impact to routines running as fenced.

    However, I found the following mentioned here:
    Backup and restore SQL schemas for DB2 Universal Database

    "The procedures use the SYSPROC.ADMIN_CMD() stored procedure to export and the SYSPROC.DB2LOAD() stored procedure to load. (SYSPROC.ADMIN_CMD() has been introduced in DB2 V8.2.2 (FP 9). Therefore, V8.2.2 is the minimum version requirement.) SYSPROC.ADMIN_CMD() executes under the fenced user id and group specified by the owner of the sqllib\adm\.fenced file. As a result the exported files have the same owner and group as sqllib\adm\.fenced. Therefore it is important to ensure that the user or group has privileges to write to the specified directories, while the user id expected to access the files also has access. The simple solution is to change ownership of sqllib\adm\.fenced to the instance owner. The safer solution is to have both IDs as members of a shared group and change only the group ownership of sqllib\adm\.fenced to that shared group. This way it is ensured that you can access the produced files through the group membership."

  3. #3
    Join Date
    Sep 2010
    Posts
    3
    Thanks for your reply, can the fenced routines access the sqllib directory or change any sensitive data which the fenced user is not suppose to change by doing this (ie changing the group of the .fenced file) ?

  4. #4
    Join Date
    Aug 2008
    Location
    Toronto, Canada
    Posts
    2,367
    Sorry, I don't know enough about (fenced) routines to answer your question.

  5. #5
    Join Date
    Jan 2007
    Location
    Jena, Germany
    Posts
    2,721
    Yes, if not configured properly, that can happen. The user/group membership of the .fenced file defines the authorizations with which the db2fmp (fenced mode process) is running. All operations done inside that process will be checked by the operating system kernel, including file operations. So if the db2fmp is running with an authorization that can change some files under sqllib/, a UDF running in the db2fmp can perform such changes.
    Knut Stolze
    IBM DB2 Analytics Accelerator
    IBM Germany Research & Development

  6. #6
    Join Date
    Sep 2010
    Posts
    3
    Thanks a lot for the reply.

    I have another question related to this.

    db2inst1@beta5>id db2fenc1
    uid=44048(db2fenc1) gid=100(users), groups=100(users),16(search),33(video)


    db2inst1@beta5>id db2inst1
    uid=44049(db2inst1) gid=204(search) groups=204(search),16(dialout),33(video)

    If the fenced user (ie db2fenc1) has a secondary group "search" which is the primary group of the instance owner and has SYSADM authority, will the fenced user also get the SYSADM authority ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •