Kbase P100887: How should I set permissions for Progress executables and database files on UNIX?
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
18/01/2010 |
|
Status: Verified
GOAL:
What should the ownership and the permissions be for the Progress executables on a UNIX platform
GOAL:
What are the minimum permissions that the database files must have?
GOAL:
How should I set permissions for Progress executables on UNIX?
GOAL:
What permissions should the database files be set to?
GOAL:
How Progress interacts with UNIX permissions?
GOAL:
What permissions need to be set in order for users to be able to access Progress without permission problems?
FACT(s) (Environment):
UNIX
Progress 9.x
OpenEdge 10.x
FIX:
The information contained in this solution allows the system administrator to maintain security at the UNIX level in the event that users have access to the operating system shell. In order for users to start a multi-user session for Progress, the following permissions should be maintained.
The Progress executables are stored in the bin subdirectory of the Progress installation directory. Upon a new installation, ownership and permissions are correct. After the installation of a Patch or Service Pack it's very important that those are reset to their correct value, as the installation might alter them. Incorrect ownership and/or permissions can cause "abnormal behavior" in the product. One of the first troubleshooting steps should be to always validate the ownership and permissions of all Progress executables are correct.
Progress executables:
The Progress executables should have read, write, and setuid for the user. The group and other should also have execute permissions. The owner of the executables should be root. This is accomplished with the the following steps:
1. Log in as root or switch user to root.
2. Move to the $DLC/bin directory.
3. Type the following set of commands:
chown root _*
chmod 4755 _*
chmod 755 _sqlsrv2
chmod 755 _waitfor
An example of what the executables will look like follows.
-rwsr-xr-x 1 root sys 458926 Nov 10 09:49 _mprosrv
-rwsr-xr-x 1 root sys 508210 Nov 10 09:49 _mprshut
-rwsr-xr-x 1 root sys 1450549 Nov 10 09:49 _progres
-rwsr-xr-x 1 root sys 823434 Nov 10 09:49 _proutil
The first column shows permissions for the file:
r - read permission
w - write permission
x - execute permission
s - setuid bit set
The first position tells what kind of file it is. If the file is defined as a normal or unknown file, it has a "-". Other file types are:
d - directory file
l - link file
t - link permission for directories
The next 3 letters are permissions for the user.
The next 3 letters are permissions for the user group.
The next 3 letters are permissions for the other group (all users).
The setuid bit can only be set for the owner and group of the file. The setuid bit allows the user that executes the file to take on the permissions of the owner of the files while running executables. This allows individual users access to the database files while in Progress, but they cannot delete the files when in the UNIX shell.
PROGRESS Database files:
In order to prevent users from deleting the database files the following permissions should be set. This pertains to connecting to the database at startup (for example, mpro demo) and also using the "connect" 4GL statement:
- Permissions to the directory where the database resides should belong to root and have read, write, and execute permissions. The group should be set to the group assigned to the database users and should have read and execute permissions only. Other users should have no permissions set.
The directory permissions should look as follows:
drwxr-x--- 2 root support 1024 Nov 10 09:49 91c
- Permissions to the database files (the .db, .lg, and .bi etc) should be read and write only. Root should be the owner of the files and the group should be set to the group assigned to the database users.
The directory contents should look as follows:
drwxr-x--- 2 root support 1024 Nov 10 10:18 .
drwxrwxrwx 8 root rdl 1024 Nov 10 09:49 ..
-rw-rw---- 1 root sup.port 2228224 Dec 2 16:50 demo.b1
-rw-rw---- 1 root support 770048 Dec 2 16:50 demo.d1
-rw-rw---- 1 root support 32768 Dec 2 16:50 demo.db
-rw-rw---- 1 root support 443 Dec 2 16:50 demo.lg
-rw-rw---- 1 root support 31 Dec 2 16:50 demo.st
The "." signifies the current working directory. The ".." signifies the parent directory or next higher directory.
With these permissions set, only the root user and all users who are part of the group may access the database through Progress, however only root can modify or delete the files from the UNIX shell (due to the directory permissions).
You can enable 'other' people access to the database but if tighter security is what you are after then you should only allow database access to people who are part of the specified group.
When you use the "connect" statement from within a procedure or through the editor, the use of a networked connection (for example, the -S and -H parameter), you do not need to turn on read and write permissions for "other". Read and write for "owner" will suffice.
The combination of executable permissions and database permissions provides full functionality as well as the ability to provide security where needed..