Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read


End of Support Dates

IIUG on Facebook IIUG on Twitter

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum

Re: informix not creating files with req permi....

Posted By: Jonathan Leffler
Date: Sunday, 17 August 2008, at 6:47 p.m.

In Response To: Re: informix not creating files with req permi.... (Fernando Nunes)

On Tue, Aug 12, 2008 at 4:19 PM, Fernando Nunes <domusonline@gmail.com> wrote:
> Not sure if I agree (and I always think a lot before disagreeing with
> Jonathan ;) ).

I'm not sure I understand what you're disagreeing with. I'm glad you
think before disagreeing with me, but I'm even gladder that when you
do disagree, you say so. I try to get my statements correct; I doubt
if I always succeed. If you think I'm wrong and can give a cogent
explanation of why (preferably with an example), then always, but
always, say I'm wrong. Accurate information is much more important
than me being right.

> Who owns these files? User and group?

Perfectly good questions - in fact, important questions. And one
reason it has taken me so long to respond is that my machine is
playing silly tricks on me (at least, that's what it feels like),
specifically w.r.t enabling auditing.

> Remember that Informix is fully capable of doing role separation and if you
> think seriously about doing audit logs you should have a special group for
> it.

Correct.

> And user informix should not belong to this group

Ah...this could be a point of disagreement.

The aaodir controls the AAO group - that is, the group that owns
$INFORMIXDIR/aaodir is the group that is the AAO group. The aaodir is
still owned by user informix, so user informix can tinker with the
files under it - specifically, adtcfg -- and can bring IDS up and
down, and hence can reconfigure the audit. In other words, it seems
to me that it doesn't much matter whether user informix is a member of
the AAO group; user informix can still rig things.

That's primarily empirical observation - that is what actually
happens. It is not wholly clear that the behaviour is the best
possible. On the other hand, it is not clearly defined what user can
(should) own $INFORMIXDIR/aaodir if it is not user informix, nor
whether IDS will work properly if user informix does not have access
to aaodir.

> Last time I checked, the files were owned by the group defined as AAO
> (Auditing analysis officer). And the members of these groups should be able
> to delete the files.

And the default AAO group is, of course, group informix.

> We can question why the files are owned by user Informix, but with the right
> directory permissions and assuming you don't put user Informix in the AAO
> group user informix should not be able to access/alter/erase them.

This depends on the directory permissions. If user informix owns the
directory, you can't stop user informix from deleting the files -
possibly after modifying the directory permissions to allow deletions.

> So, 660 informix:aao should be ok.
> The audit logs directory should not be owned by user Informix, should be
> owned by group aao and cshould have permissions like 770.
> The owner of this directory could be root or a member of aao group.

I'd need to check on this - once I find out why my server is playing
silly games with me. I'm not sure whether the log directory (ADTPATH
in the adtcfg file) can be owned other than by user informix; I'm also
not sure whether $INFORMIXDIR/aaodir can be owned other than by user
informix.

> All this only makes sense with role separation, and I believe auditing only
> makes sense with role separation.

In general, yes: auditing is most sensible with role separation.
However, auditing without role separation does also work, but isn't
necessarily as secure as auditing with role separation. OTOH, if
there are only two people administering the machines, maybe role
separation isn't possible meaningfully. Role separation assumes the
staff is big enough to have people with separate roles. IDS systems
not infrequently have one person performing most if not all of the
roles, which then makes role separation less beneficial (though
nonetheless desirable).

> I have some doubts about the directory owner (if it works with another owner
> than Informix), but it should work in recent versions. If it fails to create
> the files you may have to setup an env variable called NONROOT_OFF.

I would be extremely cautious about running CPU VPs with root
privileges if you have any UDTs defined (that use shared libraries).

> I have expressed most of my ideas about this here:
>
> http://informix-technology.blogspot.com/2008/02/compliance-role-separation-and-audit.html
> and
>
> http://informix-technology.blogspot.com/2008/07/compliance-role-separation-and-audit.html

Thanks for the URLs.

> On Tue, Aug 12, 2008 at 6:23 PM, Jonathan Leffler
> <jleffler.iiug@gmail.com>wrote:
>
>> On Tue, Aug 12, 2008 at 7:13 AM, VINU KURIAN <vinu.kurian26@gmail.com>
>> wrote:
>> > We have an executable running with group as database. When an expected event
>> > occurs, onaudit is called to enable auditing and set the level of auditing to
>> > be performed. Through onaudit, we are generating informix audit logs under a
>> > folder called informixauditlogs. The folder has been created with 775
>> > permission. And our assumption is that onaudit would create files having the
>> > same permission as parent folder i.e., informixauditlogs. But to our surprise,
>> > informix is creating those log files with a permission of 660.
>> >
>> > Can any of you please let me know why this happens. Is there a way to come out
>> > of it?
>>
>> Audit logs are not executable, so they should never have the execute bits
>> set.
>>
>> Audit logs are security sensitive. They should not be publicly
>> readable. Otherwise, the general public could find out all sorts of
>> interesting things that they should not be able to find out.

I don't see what you could be disagreeing with in these two paragraphs.

>> I'd have considerable sympathy with a complaint to the effect that the
>> permissions should be just 400 -- 660 is way too permissive.

I'm not sure if you are disagreeing with this, or what you'd be
proposing as an alternative. Also, please note, I said nothing about
which user or group owns the files or directories -- and that wasn't
accidental. I just pointed out that the public should have no access
to the audit log files (and that no-one needs the audit files to be
executable).

So, I don't see a point of disagreement. What you've done is take my
careful statements (which were, perhaps, a bit too economical with the
truth), and expanded them and expounded upon them, bringing out valid
points which I didn't try to make.

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2008.0513 -- http://dbi.perl.org/
"Blessed are we who can laugh at ourselves, for we shall never cease
to be amused."
NB: Please do not use this email for correspondence.
I don't necessarily read it every week, even.

Messages In This Thread

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum is maintained by Administrator with WebBBS 5.12.