Requirements for Db2 file and directory permissions on UNIX systems

On UNIX systems, Db2 instances and clients have specific requirements for the file permission settings of the file owner, group owner, and some users.

There are situations where users need write permission on certain files:
  • The fenced user, when running a fenced mode process (FMP), needs to write a probe to the db2diag.log or administration notification log (instance_name.nfy).
  • A client user needs to write to the db2diag.log or administration notification log.
In cases where a file has been given world writable permissions, Db2® does not place user data in world readable files. Only configuration data, diagnostic data, or executable files are placed into world writable files, and permissions on these files cannot be changed. With the release of Db2 12.1.2, an optional feature replaces world writable permissions with an operating system group ownership model:
  • A new operating system group, the shared users group, is created by the customer.
  • All operating system users that are to interact with Db2 are members of this group. This includes the fenced user and any user that needs to access Db2.
  • Only those files and directories that were previously world writable are now owned and writable by this group.
  • The remaining files and directories remain untouched. This group is referred to as the shared users group. The group, and its membership are maintained by the customer.

Enabling the shared users group

Customers enable the feature by adding the -sharedgroup parameter to any of the following instance setup commands:
  • db2icrt
  • db2iupdt
  • db2cli
Support is included for modifying an existing instance and changing ownership or permissions of existing files and directories. When any new file or directory that would otherwise be world writable needs to be created, it is created by Db2 so that the group is owned by the shared users group with the write permission excluded.

Usage notes

  • When updating an existing instance to enable this feature, the update must be done offline. You must run db2stop to stop the instance on each node before using db2iupdt to enable the feature.
  • When enabling this feature on a multi-member instance, such as a database partitioning feature (DPF) or Db2 pureScale® instance, you must run db2iupdt on all hosts.
  • Db2 pureScale instances must be in a homogeneous state when enabling the shared users group feature. That is, the feature cannot be enabled during a rolling upgrade of a Db2 pureScale instance.