SEO

Hi ,

could someone throw some light on why do default
software when installed ( as root for creating an instance
leaves us with some world accessable directories & some world
executable files & some world readable files .

I am facing this issue on how to explain to Unix Audit Team
how db2 is ensuring security even after allowing such
permissions at software level . if I give 750 permissions
to root id software account then my db2 instance links files
are giving errors

for example
/usr/opt/db2_08_01 # ls -lrt
total 804560
-rw-r--r-- 1 root system 411811840 May 20 2006 db2tar
lrwxrwxrwx 1 root system 13 May 20 2006 freeware -> /
opt/freeware
drwxr-xr-x 4 db2inst1 db2grp1 256 May 20 2006 doc
drwxr-xr-x 5 db2inst1 db2grp1 256 May 20 2006 infopop
drwxr-xr-x 4 root dasadm1 256 May 20 2006 msg
drwxr-xr-x 3 root system 256 May 20 2006 lost+found
drwxr-xr-x 3 db2inst1 db2grp1 256 Jun 10 2006 include64
drwxr-xr-x 3 bin bin 4096 Jun 10 2006 include
drwxr-xr-x 3 bin bin 256 Jun 10 2006 tivready
drwxr-xr-x 54 bin bin 4096 Jun 10 2006 license
drwxr-xr-x 12 bin bin 4096 Jun 10 2006 das
drwxr-xr-x 3 root system 4096 Jun 10 2006 dasfcn64
drwxr-xr-x 3 root system 4096 Jun 10 2006 dasfcn
drwxr-xr-x 3 db2inst1 db2grp1 256 Jun 10 2006 map
drwxr-xr-x 4 db2inst1 db2grp1 256 Jun 10 2006 Readme
drwxr-xr-x 5 bin bin 4096 Jun 10 2006 instance
drwxr-xr-x 4 root dasadm1 12288 Jun 10 2006 conv
drwxr-xr-x 4 bin bin 256 Jun 10 2006 security64
drwxr-xr-x 4 bin bin 256 Jun 10 2006 security
drwxr-xr-x 3 db2inst1 db2grp1 4096 Jun 10 2006 java
drwxr-xr-x 4 db2inst1 db2grp1 4096 Jun 10 2006 tools
drwxr-xr-x 3 db2inst1 db2grp1 256 Jun 10 2006 adsm64
drwxr-xr-x 3 bin bin 256 Jun 10 2006 adsm
drwxr-xr-x 3 bin bin 4096 Jun 10 2006 adm64
drwxr-xr-x 4 bin bin 12288 Jun 10 2006 bin
drwxr-xr-x 4 db2inst1 db2grp1 12288 Jun 10 2006 bin64
drwxr-xr-x 4 bin bin 4096 Jun 10 2006 cfg
drwxr-xr-x 3 db2inst1 db2grp1 8192 Jun 10 2006 bnd
drwxr-xr-x 4 bin bin 4096 Jun 10 2006 function64
drwxr-xr-x 4 bin bin 4096 Jun 10 2006 function
drwxr-xr-x 4 db2inst1 db2grp1 8192 Jun 10 2006 lib
drwxr-xr-x 13 db2inst1 db2grp1 4096 Jun 10 2006 samples
drwxr-xr-x 3 db2inst1 db2grp1 4096 Jun 10 2006 misc
drwxr-sr-x 3 db2inst1 db2grp1 4096 Jun 10 2006 lib64
drwxr-xr-x 2 bin bin 4096 Jun 10 2006 adm


/usr/opt/db2_08_01 # ls -la /usr/opt/db2_08_01/instance
total 1480
drwxr-xr-x 5 bin bin 4096 Jun 10 2006 .
drwxr-xr-x 35 bin bin 4096 Aug 12 2006 ..
drwxr-xr-x 5 bin bin 256 Jun 10 2006 common
-r-xr-xr-x 1 bin bin 4703 Aug 20 2005 dascrt
-r-xr-xr-x 1 bin bin 3789 May 20 2006 dasdrop
-r-xr-xr-x 1 bin bin 2018 May 20 2006 daslist
-r-xr-xr-x 1 bin bin 38466 Aug 20 2005 dasmigr
-r-xr-xr-x 1 bin bin 3906 May 20 2006 dasupdt
-r-xr-xr-x 1 bin bin 21791 Aug 20 2005 dasutil
lrwxrwxrwx 1 root bin 15 May 20 2006 db2ckmig -
> ../bin/db2ckmig
-r-xr-xr-x 1 root bin 22007 Aug 20 2005 db2clpid
lrwxrwxrwx 1 root bin 31 May 20 2006 db2iauto -> /
usr/opt/db2_08_01/bin/db2iauto
-r-xr--r-- 1 root bin 23143 Aug 20 2005 db2icfg
-r-xr-xr-x 1 root bin 22501 Aug 20 2005 db2icknm
-r-xr--r-- 1 root bin 8783 Aug 20 2005 db2icrt
-r-xr-xr-x 1 root bin 11519 Aug 20 2005 db2idbm
-r--r--r-- 1 root bin 19008 Aug 20 2005 db2idefs
-r-xr--r-- 1 root bin 4695 Aug 20 2005 db2idrop
-r-xr--r-- 1 root bin 2521 May 20 2006 db2iexec
-r-xr-xr-x 1 root bin 4588 May 20 2006 db2iinfo
lrwxrwxrwx 1 root bin 15 May 20 2006 db2ilist -
> ../bin/db2ilist
-r-xr-xr-x 1 root bin 3586 May 20 2006 db2imchk
-r-xr--r-- 1 root bin 51852 Aug 20 2005 db2imigr
-r--r--r-- 1 root bin 641 May 20 2006 db2inst.defs
-r-xr--r-- 1 root bin 25974 Aug 20 2005 db2instcfg
-r-xr--r-- 1 root bin 23149 Aug 20 2005 db2ipcld
-r-xr--r-- 1 root bin 145399 Aug 20 2005 db2iset
-r-xr-xr-x 1 bin bin 6267 Aug 20 2005 db2isetup
-rw-r--r-- 1 root system 0 Aug 20 2005 db2ishut
-r-xr-xr-x 1 root bin 39827 Aug 20 2005 db2isrv
-r-xr-xr-x 1 root bin 18281 Aug 20 2005 db2istop
-r-xr--r-- 1 root bin 4130 Aug 20 2005 db2istrt
-r-xr--r-- 1 root bin 17938 Aug 20 2005 db2iuadm
-r-xr--r-- 1 root bin 7943 Aug 20 2005 db2iupdt
-r--r--r-- 1 root bin 139684 Aug 20 2005 db2iutil
-r-xr--r-- 1 root bin 6471 Aug 20 2005 db2uit
drwxr-sr-x 4 bin bin 4096 Jul 05 2004 instance
drwxr-xr-x 3 bin bin 256 Oct 29 2002 native

Can you be more specific in what the problem is?
Which files are world accessible which you think should not be?

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab

shiva359@gmail.com wrote:

> Hi ,
>
> could someone throw some light on why do default
> software when installed ( as root for creating an instance
> leaves us with some world accessable directories & some world
> executable files & some world readable files .
>
> I am facing this issue on how to explain to Unix Audit Team
> how db2 is ensuring security even after allowing such
> permissions at software level . if I give 750 permissions
> to root id software account then my db2 instance links files
> are giving errors
>
[snip]

I wouldn't claim to be an expert on security, but I don't see any issue
with world-read or world-exec permissions ... after all, the vast
majority of stuff in /usr/bin has such permissions. I would've thought
the audit team would be more concerned about stuff like world-writeable
dirs, and suid execs, of which there are a few in a DB2 instance home
directory.

For example on my 9.5 Linux installation, the following files are
suid-root and world-executable:

db2inst1 ~/sqllib $ find -user root -perm -u+s,-o+x | xargs ls -l
-r-s--x--x 1 root db2iadm1 26052 2008-04-19 06:48 ./adm/db2cacpy
-r-sr-xr-x 1 root db2iadm1 97623 2008-04-19 06:48 ./adm/db2dasstml
-r-sr-s--x 1 root db2iadm1 1705542 2008-04-19 06:48 ./adm/db2fmpr
-r-sr-s--x 1 root db2iadm1 66586 2008-04-19 06:48 ./adm/db2fmpr32
-r-sr-s--x 1 root db2iadm1 24919 2008-04-19 06:48 ./adm/db2fmpterm
-r-s--x--x 1 root db2iadm1 160916 2008-04-19 06:48 ./adm/db2genp
-r-sr-xr-x 1 root db2iadm1 3857680 2008-04-19 06:48 ./adm/db2havend
-r-sr-xr-x 1 root db2iadm1 3240951 2008-04-19 06:48 ./adm/db2havend32
-r-sr-x--x 1 root db2iadm1 221231 2008-04-19 06:48 ./adm/db2licd
-r-sr-s--x 1 root db2iadm1 1693953 2008-04-19 06:48 ./adm/db2pd
-r-sr-s--x 1 root db2iadm1 2024307 2008-04-19 06:48 ./adm/db2pdcfg
-r-sr-s--x 1 root db2iadm1 39453 2008-04-19 06:48 ./adm/db2start
-r-sr-s--x 1 root db2iadm1 40165 2008-04-19 06:48 ./adm/db2stop
-r-s--x--x 1 root db2iadm1 52313 2008-04-19 06:48 ./security/db2chpw
-r-s--x--x 1 root db2iadm1 3791717 2008-04-19 06:48 ./security/db2ckpw

As for why these permissions are the way they are: in the case of
~db2inst1/sqllib/security/db2ckpw, that's the process used to
authenticate users. It needs to be suid-root in order to read the local
shadow file (likewise, db2chpw needs to be suid-root in order to update
the local shadow file if a user attempts a password change while
connecting).

I suspect it's good practice to have entirely separate, single purpose
executables for this kind of procedure in order to minimize the risk of
buffer overflows and other nasty things. Still, I'd assume an audit
team would be mostly concerned with documenting and testing things like
this before worrying about world-read / world-exec stuff.


Cheers,

Dave.

shiva359@gmail.com wrote:

> could someone throw *some light *on * why * do * default
> software *when installed * *( as root * for *creating an instance
> leaves *us with *some *world * *accessable directories & *some *world
> executable * files *& *some *world *readable *files * .

It's largely because, well, DB2 needs to be world readable and world
executable.

Anyone on the system should be able to run DB2. Not just members of
the "bin" group (of which there should be only two: root and bin).

DB2 can't install using db2grp1 as its group because, well, you don't need
to use db2grp1 as your sysadm group. (Especially since it is "db2iadm1" by
default for the first instance.)

Your Unix Audit Team should likely contact IBM for a detailed explanation,
but I'm pretty sure IBM has already vetted these permissions fairly
thoroughly.