IBM MQ file permissions in /opt/mqm with setuid for mqm

The following information covers the situation where your security team has flagged some of the executable IBM® MQ files in the directory tree $MQ_INSTALLATION_PATH, in violation of local security policies. The default location in AIX® is /usr/mqm and for the other UNIX operating systems is /opt/mqm. If you have installed IBM MQ in a non-default directory, such as /opt/mqm90, or if you have multiple installations, the details in this topic still apply.

Cause of the problem

Your security team has identified the following areas of concern under $MQ_INSTALLATION_PATH:
  1. Files in /opt/mqm/bin directory are setuid for the owner of the directory tree where they reside. For example:
    dr-xr-xr-x   mqm  mqm   ${MQ_INSTALLATION_PATH}/bin
    -r-sr-s---   mqm  mqm   ${MQ_INSTALLATION_PATH}/bin/addmqinf
    -r-sr-s---   mqm  mqm   ${MQ_INSTALLATION_PATH}/bin/amqcrsta
    -r-sr-s---   mqm  mqm   ${MQ_INSTALLATION_PATH}/bin/amqfcxba
  2. Practically all the directories and files are owned by "mqm:mqm" except for the following, which are owned by root:
    dr-xr-x---   root mqm   ${MQ_INSTALLATION_PATH}/bin/security
    -r-sr-x---   root mqm   ${MQ_INSTALLATION_PATH}/bin/security/amqoamax
    -r-sr-x---   root mqm   ${MQ_INSTALLATION_PATH}/bin/security/amqoampx
    This subdirectory needs to be owned by root, because these are the executable files that interact with the operating system when the user from an IBM MQ client specifies a password, and this password is passed by the IBM MQ queue manager to the operating system to confirm if the password is valid or is not valid.
  3. User does not own files in /opt/mqm/lib/iconv directory (this directory does not exist on AIX). For example:
    dr-xr-xr-x   mqm  mqm   ${MQ_INSTALLATION_PATH}/lib/iconv
    -r--r--r--   bin  bin   ${MQ_INSTALLATION_PATH}/lib/iconv/002501B5.tbl
    -r--r--r--   bin  bin   ${MQ_INSTALLATION_PATH}/lib/iconv/002501F4.tbl
    -r--r--r--   bin  bin   ${MQ_INSTALLATION_PATH}/lib/iconv/00250333.tbl
  4. The fix pack maintenance directory on RPM-based Linux® systems. When fix packs are installed, the existing files are saved under this directory in a structure similar to that shown in the following example, except that in this example V.R represents the IBM MQ version and release number and the subdirectories that appear depend on the fix packs that have been installed:
    drwx------   root root  ${MQ_INSTALLATION_PATH}/maintenance
    drwxr-xr-x   root root  ${MQ_INSTALLATION_PATH}/maintenance/V.R.0.1
    drwxr-xr-x   root root  ${MQ_INSTALLATION_PATH}/maintenance/V.R.0.3
    drwxr-xr-x   root root  ${MQ_INSTALLATION_PATH}/maintenance/V.R.0.4

Resolving the problem

One of the concerns on UNIX systems with respect to setuid programs was that the system security could be compromised by manipulating environment variables such as LD* (LD_LIBRARY_PATH, LIBPATH on AIX, and so on). This is no longer a concern, as various UNIX operating systems now ignore these LD* environment variables when loading setuid programs.

  1. Why some of the IBM MQ programs are mqm-setuid or mqm-setgid.

    In IBM MQ, the user id "mqm" and any ID which is a part of the "mqm" group are the IBM MQ administrative users.

    IBM MQ queue manager resources are protected by authenticating against this user. Since the queue manager processes use and modify these queue manager resources, the queue manager processes require "mqm" authority to access the resources. Therefore, IBM MQ queue manager support processes are designed to run with the effective user-id of "mqm".

    To help non-administrative users accessing IBM MQ objects, IBM MQ provides an Object Authority Manager (OAM) facility, whereby authorities can be granted and revoked on the need of the application run by the non-administrative user.

    With the ability to grant different levels of authentications for users and the fact that setuid and setgid programs ignore LD* variables, the IBM MQ binary and library files do not compromise the security of your system in any way.

  2. It is not possible to change the permissions to satisfy the security policy of your enterprise without jeopardizing IBM MQ functionality.

    You must not change the permissions and ownerships of any of the IBM MQ binaries and libraries. IBM MQ functionality can suffer due to this kind of change, such that queue manager processes might fail to access some of the resources.

    Note that the permissions and ownerships do not pose any security threat to the system.

    Linux hard drives/disks where IBM MQ is installed or where IBM MQ data is located must not be mounted with the nosuid option. This configuration might inhibit IBM MQ functionality.

    For more information see IBM MQ file system permissions applied to /var/mqm.