Kbase 12538: Progress and UNIX Permissions
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
14/01/2010 |
|
Status: Verified
SYMPTOM(s):
** Could not open file <file-name>. (103)
SYSTEM ERROR: Shared memory access permission denied (1136)
Unable to open <file-name>, errno = <error code>. (1295)
SYSTEM ERROR: fmget: bad record or unknown value. (13)
Error: output file "<name>" could not be opened for writing. (1506)
Unable to open or create <filename>, error <number>. (2257)
Unable to set ulimit to <number>, errno=<number>, ulimit remains at <number>. (2601)
** Unable to open <file-name>, error code <number>. (316)
Unable to open or create <filename>, error <number>. (354)
Error opening file <file-name>, errno = <errno>. (4029)
** Cannot find or open file <file-name>, errno = <number>. (43)
SYSTEM ERROR: keyget: unable to make ipc key for <db>:<ch>. (554)
** Unable to open file: <file-name>. Errno=<number>. (98)
FACT(s) (Environment):
UNIX
Progress/OpenEdge Product Family
CAUSE:
The permissions for either database files or Progress executables are not set up correctly.
FIX:
This solution explains how Progress interacts with UNIX permissions. It also explains what permissions need to be set in order for end users to be able to access Progress effectively and without permission problems.
The information contained in this solution allows the system administrator to maintain security at the UNIX level in the event that users have access to the operating system shell. In order for users to start a multi-user session for Progress, the following permissions should be maintained.
Progress executables:
The Progress executables should have read, write, and setuid for the user. The group and other should also have execute permissions. The owner of the executables should be root. This is accomplished with the the following steps:
1. Log in as root or switch user to root.
2. Move to the $DLC/bin directory.
3. Type the following set of commands:
chown root _*
chmod 4755 _*
chmod 755 _sqlsrv2
chmod 755 _waitfor
An example of what the executables will look like follows.
-rwsr-xr-x 1 root sys 458926 Nov 10 09:49 _mprosrv
-rwsr-xr-x 1 root sys 508210 Nov 10 09:49 _mprshut
-rwsr-xr-x 1 root sys 1450549 Nov 10 09:49 _progres
-rwsr-xr-x 1 root sys 823434 Nov 10 09:49 _proutil
The first column shows permissions for the file:
r - read permission
w - write permission
x - execute permission
s - setuid bit set
The first position tells what kind of file it is. If the file is defined as a normal or unknown file, it has a "-". Other file types are:
d - directory file
l - link file
t - link permission for directories
The next 3 letters are permissions for the user.
The next 3 letters are permissions for the user group.
The next 3 letters are permissions for the other group (all users).
The setuid bit can only be set for the owner and group of the file. The setuid bit allows the user that executes the file to take on the permissions of the owner of the files while running executables. This allows individual users access to the database files while in Progress, but they cannot delete the files when in the UNIX shell.
PROGRESS Database files:
In order to prevent users from deleting the database files the following permissions should be set. This pertains to connecting to the database at startup (for example, mpro demo) and also using the "connect" 4GL statement:
- Permissions to the directory where the database resides should belong to root and have read, write, and execute permissions. The group should be set to the group assigned to the database users and should have read and execute permissions only. Other users should have no permissions set.
The directory permissions should look as follows:
drwxr-x--- 2 root support 1024 Nov 10 09:49 91c
- Permissions to the database files (the .db, .lg, and .bi etc) should be read and write only. Root should be the owner of the files and the group should be set to the group assigned to the database users.
The directory contents should look as follows:
drwxr-x--- 2 root support 1024 Nov 10 10:18 .
drwxrwxrwx 8 root rdl 1024 Nov 10 09:49 ..
-rw-rw---- 1 root support 2228224 Dec 2 16:50 demo.b1
-rw-rw---- 1 root support 770048 Dec 2 16:50 demo.d1
-rw-rw---- 1 root support 32768 Dec 2 16:50 demo.db
-rw-rw---- 1 root support 443 Dec 2 16:50 demo.lg
-rw-rw---- 1 root support 31 Dec 2 16:50 demo.st
The "." s.ignifies the current working directory. The ".." signifies the parent directory or next higher directory.
With these permissions set, only the root user and all users who are part of the group may access the database through Progress, however only root can modify or delete the files from the UNIX shell (due to the directory permissions).
You can enable 'other' people access to the database but if tighter security is what you are after then you should only allow database access to people who are part of the specified group.
NOTE: When you use the "connect" statement from within a procedure or through the editor, the use of a networked connection (for example, the -S and -H parameter), you do not need to turn on read and write permissions for "other". Read and write for "owner" will suffice.
The combination of executable permissions and database permissions provides full functionality as well as the ability to provide security where needed..