Kbase P17044: CONNECT statement errors with 1136 - connect via mpro
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
12/7/2006 |
|
Status: Verified
SYMPTOM(s):
Cannot connect to database using CONNECT statement
Can connect from command line using mpro dbname
The setuid bit is enabled for all progress executables ( _ files ) except for _waitfor and _sqlsrv2
SYSTEM ERROR: Shared memory access permission denied (1136)
CHANGE:
Upgraded 9.1B to 9.1D
CAUSE:
Bug# 20030108-024
CAUSE:
This is the result of security changes made in 9.1D. Additional protection has been placed on shared memory to protect our shared memory from attacks.
FIX:
Although the client has setuid on, the actual user of the process is changed from root to the actual user as soon as initial database connections have been performed. All databases specified on the command line can be connected to because the client is running as root.
4GL program execution is performed after the process has been "downgraded" from root, i.e. they are NOT run as root. If the user running the program
does not have access to the database he/she will not have access to the shared memory for that database.
When a server is started, the ownership of the shared memory is changed so that it mimics the .db file. This is a change from the 9.1B method. If a regular user has full access to the .db file they will implicitly have full access to the shared memory for the database. If a particular group has full access to a database and its shared memory, a member of that group may have full access as well.
There are a few potential solutions for this problem:
1. Specify all database names on the mpro command line using -db for each.
2. Grant a group rights to the database and make all users that need access to the database members of that group.
3. Use client/server to connect to the database in question. Since a server is already connected to the database it has access to the shared memory.