Re: Listeners and Priviledges on Linux
Sid, As of 5.3 the listener doesn't run the channel anymore, it just passed the connection off to the channel pooling process. So even if you could run the listener under a different ID, the MCA would still be running as mqm. Yes, the client will inherit the authorizations of either the MCAUSER attribute or, if that is empty, mqm. You can set the channel to use the ID of the client that is connecting but it is a trivial task for the client to assert any arbitrary ID. Setting the MCAUSER or running an exit (like Joergen's BlockIP2) is necessary to enforce a policy of using non-administrative IDs. -- T.Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:43 AM To: [EMAIL PROTECTED] Subject: Listeners and Priviledges on Linux G'Day all, This may seam like a silly question but, if I have a listener started by the mqm user on a Linux server and a client connects using a server connection channel to the server via that listener, then does the client automatically have mqm priviledges ?? Or will the mca userid be the only applicable factor. Can any user other than mqm start the queue manager and listeners ?? Sid Young Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Listeners and Priviledges on Linux
G'Day all, This may seam like a silly question but, if I have a listener started by the mqm user on a Linux server and a client connects using a server connection channel to the server via that listener, then does the client automatically have mqm priviledges ?? Or will the mca userid be the only applicable factor. Can any user other than mqm start the queue manager and listeners ?? Sid Young Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Listeners and Priviledges on Linux
Hi Sid, my recollection is that a SVRCONN with no MCAUSER will believe the incoming userid asserted by the client program. The Win2k client asserts the logged on windows user (could be a domain user) and can include the SID. The Win95 client asserts the content of an environment variable. The Java client asserts whatever the program tells it to. The unix C clients assert the effective uid of the process. I think that if the client asserts spaces, they will get mqm authority, but I am not sure. Lots of people seem to use the BlockIP2 exit to prevent clients asserting priviledged ids such as mqm or MUSR_MQADMIN In terms of starting the queue manager, any member of the mqm group can start it, but it will switch to mqm user (the binaries are SGID, SUID (6755). I can't remember who is allowed to start the listeners, but I suspect it is mqm group. Regards, Neil C. |-+ | | [EMAIL PROTECTED]| | | .AU | | | Sent by: MQSeries| | | List | | | [EMAIL PROTECTED]| | | n.AC.AT | | || | || | | 19/03/2004 16:42 | | | Please respond to| | | MQSeries List| | || |-+ --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Listeners and Priviledges on Linux | --| G'Day all, This may seam like a silly question but, if I have a listener started by the mqm user on a Linux server and a client connects using a server connection channel to the server via that listener, then does the client automatically have mqm priviledges ?? Or will the mca userid be the only applicable factor. Can any user other than mqm start the queue manager and listeners ?? Sid Young Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
