IBM Support

WebSphere MQ file permissions with setuid for mqm and ownership by root (V6, V7, V8, V9)

Technote (troubleshooting)


Problem(Abstract)

Your security has flagged some of the executable MQ files in the directory tree $MQ_INSTALLATION_PATH in violation of local security policies.

Cause

Your security has identified the following areas of concern under $MQ_INSTALLATION_PATH:
1. Files in /opt/mqm/bin,lib,lib64 directories are setuid for the owner of the directory tree where they reside.
Example:
-r-sr-s--- 1 mqm  mqm  2...6  /opt/mqm/bin/amqcrsta_nd
-r-sr-sr-x 1 mqm  mqm  5...6  /opt/mqm/lib/amqccgsk
-r-sr-sr-x 1 mqm  mqm  6...6  /opt/mqm/lib64/amqccgsk


2. User does not own files in /opt/mqm/lib/iconv directory.
Example:
-r--r--r-- 1 bin  bin  2...4  /opt/mqm/lib/iconv/002501B5.tbl


3. Files in /opt/mqm/licenses are world-writable.
Example:
-rwxrwxrwx 1 mqm  mqm  5...6  /opt/mqm/licenses/English.txt


"..." was used above to shorten the ls output.

4. Practically all the directories and files are owned by "mqm:mqm" except for the following, which are owned by root:
$ ls -dl /opt/mqm/bin/security
dr-xr-x--- 1 root mqm 48 Jun 30 08:06 /opt/mqm/bin/security
$ ls -l /opt/mqm/bin/security
-r-sr-x--- 1 root mqm 16497 Jun 30 08:06 amqoamax
-r-sr-x--- 1 root mqm 17060 Jun 30 08:06 amqoampx

Resolving the problem

One of the concerns on UNIX with respect to setuid programs was that the system security could be compromised by manipulating environment variables such as LD* (LD_LIBRARY_PATH, LIBPATH on AIX, etc). But, this is no longer a concern as various UNIX operating systems (Solaris, HP, AIX, Linux) now ignore these LD* environment variables when loading setuid programs. On AIX, LIBPATH is ignored. Hence, setuid/setgid programs are not a concern.



1. Why are some of the WebSphere MQ programs mqm-setuid/setgid?


In WebSphere MQ, user id "mqm" and any ID which is a part of "mqm" group are the WebSphere MQ administrative users. WebSphere MQ queue manager resources are protected by authenticating against this user. Since the queue manager processes use and modify these queue manager resources, the queue manager processes will require "mqm" authority to access the resources. Hence, WebSphere MQ queue manager support processes are designed to run with the effective user-id of "mqm".

To help non-administrative users accessing WebSphere MQ objects, WebSphere MQ provides an Object Authority Manager (OAM) facility where authorities can be granted/revoked on the need of the application executed by the non-administrative user.

With the ability to grant different levels of authentications for users and the fact that setuid/setgid programs ignore LD* variables, the WebSphere MQ binary/library files do not compromise a system's security in any way.


2. Is it possible to change the permissions to satisfy our security policy without jeopardizing WebSphere MQ functionality?

The answer is no. Changing the permissions and ownerships of any of the WebSphere MQ binaries and libraries should not be done. WebSphere MQ functionality may suffer due to this kind of change, such that queue manager processes my fail to access some of the resources. We would like to reiterate that the permissions and ownerships do not pose any security threat to the system.


3. Why are the files under /opt/mqm/licenses world-writable?

These are simple text files containing "International Program License Agreement", which will not be read or used by any of the queue manager processes. Hence, these are not a security threat.

To summarize,

* WebSphere MQ setuid/setgid programs do not cause any security threat to the system.
* Permissions and ownerships of these files should not be modified.

4) There are 2 cases which need to be discussed separately.

4.a) The subdirectory "maintenance" is used to store a backup of files after a Fix Pack is applied. The subdirectory tree needs to be owned by root.

4.b) The $MQ_INSTALLATION_PATH/bin/security is a new subdirectory added in MQ 8.0.
It needs to be owned by root, because these are the executable files that need to handle passwords.

Related information

New directory and file permissions in WMQ V6 & V7

Product Alias/Synonym

WMQ MQ

Document information

More support for: WebSphere MQ
Security

Software version: 6.0, 7.0, 7.1, 7.5, 8.0, 9.0

Operating system(s): AIX, HP-UX, Linux, Solaris

Reference #: 1265111

Modified date: 03 October 2016


Translate this page: