MQ file permissions in /opt/mqm with setuid for mqm and ownership by root (V6, V7, V8, V9.x)

Troubleshooting

Problem

Your security team has flagged some of the executable MQ files in the directory tree $MQ_INSTALLATION_PATH in violation of local security policies.
.
The default location in AIX is /usr/mqm and for the other UNIX operating systems is /opt/mqm.
.
If you have installed MQ in a non-default directory such as /opt/mqm90, or if you have multiple installation, then the details in this technote still apply.

Cause

Your security team has identified the following areas of concern under $MQ_INSTALLATION_PATH:

1. Files in /opt/mqm/bin,lib,lib64 directories are setuid for the owner of the directory tree where they reside.
Example:
-r-sr-s--- 1 mqm mqm 2...6 /opt/mqm/bin/amqcrsta_nd -r-sr-sr-x 1 mqm mqm 5...6 /opt/mqm/lib/amqccgsk -r-sr-sr-x 1 mqm mqm 6...6 /opt/mqm/lib64/amqccgsk

2. User does not own files in /opt/mqm/lib/iconv directory.
Example:
-r--r--r-- 1 bin bin 2...4 /opt/mqm/lib/iconv/002501B5.tbl

3. Files in /opt/mqm/licenses are world-writable.
Example:
-rwxrwxrwx 1 mqm mqm 5...6 /opt/mqm/licenses/English.txt
Note: "..." was used above to shorten the ls output.

4. Practically all the directories and files are owned by "mqm:mqm" except for the following, which are owned by root:
.
$ ls -dl /opt/mqm/bin/security
dr-xr-x--- 1 root mqm 48 Jun 30 08:06 /opt/mqm/bin/security
$ ls -l /opt/mqm/bin/security
-r-sr-x--- 1 root mqm 16497 Jun 30 08:06 amqoamax
-r-sr-x--- 1 root mqm 17060 Jun 30 08:06 amqoampx

Resolving The Problem

One of the concerns on UNIX with respect to setuid programs was that the system security could be compromised by manipulating environment variables such as LD* (LD_LIBRARY_PATH, LIBPATH on AIX, etc). But, this is no longer a concern as various UNIX operating systems (Solaris, HP, AIX, Linux) now ignore these LD* environment variables when loading setuid programs. In the case of AIX, the LIBPATH is ignored. Hence, the setuid/setgid programs for MQ are not really a concern.

1. Why are some of the MQ programs mqm-setuid/setgid?

In MQ, the user id "mqm" and any ID which is a part of "mqm" group are the MQ administrative users. MQ queue manager resources are protected by authenticating against this user. Since the queue manager processes use and modify these queue manager resources, the queue manager processes will require "mqm" authority to access the resources. Hence, MQ queue manager support processes are designed to run with the effective user-id of "mqm".

To help non-administrative users accessing MQ objects, MQ provides an Object Authority Manager (OAM) facility where authorities can be granted/revoked on the need of the application executed by the non-administrative user.

With the ability to grant different levels of authentications for users and the fact that setuid/setgid programs ignore LD* variables, the MQ binary/library files do not compromise a system's security in any way.

2. Is it possible to change the permissions to satisfy our security policy without jeopardizing MQ functionality?

The answer is: NO.
Changing the permissions and ownerships of any of the MQ binaries and libraries should not be done. MQ functionality may suffer due to this kind of change, such that queue manager processes my fail to access some of the resources.
We would like to reiterate that the permissions and ownerships do not pose any security threat to the system.

3. Why are the files under /opt/mqm/licenses world-writable?

These are simple text files containing "International Program License Agreement", which will not be read or used by any of the queue manager processes. Hence, these are not a security threat.

To summarize:

* MQ setuid/setgid programs do not cause any security threat to the system.
* Permissions and ownerships of these files should not be modified.

4) There are 2 cases which need to be discussed separately.

4.a) The subdirectory "maintenance" is used to store a backup of files after a Fix Pack is applied. The subdirectory tree needs to be owned by root.

4.b) The $MQ_INSTALLATION_PATH/bin/security is a new subdirectory added in MQ 8.0.

It needs to be owned by root, because these are the executable files that interact with the operating system when the user from a MQ client specifies a password and this password is passed by the MQ queue manager to the operating system to confirm if the password is valid or is not valid.

Related Information

Online manual for MQ: IBM MQ file system permissions applied to /var/mqm

Online manual for MQ: Changing queue manager configuration information > Filesy…

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"9.1;9.0;8.0;7.5;7.1;7.0;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WMQ MQ

Was this topic helpful?

Document Information

Modified date:
24 December 2018

UID

swg21265111

Tips