Results 1 to 4 of 4
  1. #1
    Join Date
    Dec 2003
    Posts
    78

    Unanswered: unix db2 security

    hello all.
    We have unix db2 v7.2 servers
    As DBA's we perform administration operations as follows(considering db2admin is the user in db2iadm1 group with database admin privileges):
    -We login to server with telnet with our private logins
    -We do "su - db2admin" supplying our private password
    -Then under the user db2admin , we perform our administration.

    Now, we have the problem that:
    -we don't want any user other than db2admin users to perform db admin utilites,commands etc.
    -users with root password can easily "su" to db2admin without the password and they are able to perform our operations without our knowledge.

    How can we manage root not to be able to perform db2admin operations?

    I hope i ask the question clear..
    thanks all

  2. #2
    Join Date
    Aug 2001
    Location
    UK
    Posts
    4,650

    Re: unix db2 security

    The Sysadm for an instance is given to a group ... So, the first step to ensure that no user other than db2admin to have authority on the instance is to remove all users except the instance owner from the sysadm group .... You should also revoke database privileges like createtab, bind, connect etc from PUBLIC ... Then you can start looking at what the applications do and what privileges they want and then grant them appropriately ...

    Refer to the 'authorization' sub-heading under each SQL or Command in the DB2 Manuals

    And, there is no way, you can prevent the root user from doing things as instance owner .... The root user-id is supposed to be in the hands of 'responsible' people .....

    HTH

    Sathyaram


    Originally posted by shedb
    hello all.
    We have unix db2 v7.2 servers
    As DBA's we perform administration operations as follows(considering db2admin is the user in db2iadm1 group with database admin privileges):
    -We login to server with telnet with our private logins
    -We do "su - db2admin" supplying our private password
    -Then under the user db2admin , we perform our administration.

    Now, we have the problem that:
    -we don't want any user other than db2admin users to perform db admin utilites,commands etc.
    -users with root password can easily "su" to db2admin without the password and they are able to perform our operations without our knowledge.

    How can we manage root not to be able to perform db2admin operations?

    I hope i ask the question clear..
    thanks all
    Visit the new-look IDUG Website , register to gain access to the excellent content.

  3. #3
    Join Date
    Dec 2003
    Posts
    78

    how about chmod??

    Thanks Sathyaram,
    How about that: Can we restrict the root doing these db2 commands(db2stop,db2start,db2 force applications all..etc), by using chmod commands?? restricitng read/write/execute priviliges?
    It may be a stupid idea ,i agree
    If root "su"s as instance owner without password, is it the same as logging in as instance owner with password???

  4. #4
    Join Date
    Mar 2004
    Location
    Toronto, ON, Canada
    Posts
    513
    In my experience, root is root, they can always su to any id, don't think you can do anything to stop them.
    --
    Jonathan Petruk
    DB2 Database Consultant

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •