Thread: SE directory and file permissions - was "help: i can't access todatabasa"
View Single Post

   
  #1 (permalink)  
Old 04-20-2008, 10:02 AM
Jonathan Leffler
 
Posts: n/a
Default SE directory and file permissions - was "help: i can't access todatabasa"
On 4 Jan 2006 07:36:21 -0800, carsten@uniqsys.com <carsten@uniqsys.com> wrote:
> If this is standard engine, you have to make sure that the user that's
> trying to connect has read, write, and execute permissions on the
> <dbname>.dbs directory. This can probably be achieved by adding the
> user to the group that owns the dbs directory.

No, No, No, No, No, NO, **NO** !!!!

Do not throw away all your security!

The dbname.dbs directory should have precisely 770 permission, owned
by the database owner, and belonging to group informix. Anything else
is a disaster. Similarly, all the files (.dat and .idx files) in the
database directory will belong to the user who created the table and
belong to group informix and will have 660 permission. Any relaxation
(or tightening) of these permissions breaks things.

Laxer permissions means that anyone can read the files - or write over
the files, thereby destroying the data. Indeed, setting the database
directory to 777 means that anybody, but anybody, can eliminate files
from your database (not necessarily dropping the tables; just removing
the files, or adding new ones).

Note that sqlexec should be a SUID root, SGID informix program. If it
has incorrect permissions (is missing the SGID permissions in
particular), then you run into problems, and the 'obvious' way to fix
them is by wrecking the permissions on the database directory and the
files in the database directory. However, 'obvious' is not the same
as 'correct' in this case. The correct fix is to ensure that
$INFORMIXDIR/lib/sqlexec has the correct permissions - 6511 (or, more
likely, 6755 or 6775, though no-one really needs write access and you
don't need read access on an executable to execute it - scripts, yes;
executables, no). You might also need to check that the mkdbsdir
program has the correct permissions (SUID root, SGID informix) too.

So, just to make it clear:

DO NOT SET THE PERMISSIONS ON dbase.dbs DIRECTORY TO 777.

Leave them as 770 and ensure that the group is group informix.

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2005.02 -- http://dbi.perl.org/
Reply With Quote