IBM Support

IC74585: WHEN DB2 AUDIT IS ENABLED, RUNNING A SETUID APPLICATION COULD RESULT IN AUDIT LOGGING FAILURE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When logging an audit event on the client side, if the
    application triggering the audit event is a setuid executable,
    it's possible for the audit operation to fail if the effective
    user ID and real user ID of the application are different. The
    failure is due to how DB2 handles client-side audit events
    internally.
    
    If DB2 audit is enabled, and such an application is run, you
    will see the following entries in the db2diag.log file:
    
    
    2011-01-18-21.02.56.810052-360 E149233A416        LEVEL: Error
    (OS)
    PID     : 4032                 TID  : 1           PROC : db2aud
    INSTANCE: db2instv             NODE : 000
    EDUID   : 1
    FUNCTION: DB2 UDB, oper system services, sqlorqueInternal,
    probe:9
    MESSAGE : ZRC=0x870F00BB=-2029059909=SQLO_QUE_NO_ACCESS
              "do not have the access right"
    CALLED  : OS, -, msgrcv
    OSERR   : EACCES (13) "Permission denied"
    
    2011-01-18-21.02.56.811897-360 I149650A382        LEVEL: Error
    PID     : 4032                 TID  : 1           PROC : db2aud
    INSTANCE: db2instv             NODE : 000
    EDUID   : 1
    FUNCTION: DB2 UDB, bsu security, sqlex_db2aud_main, probe:170
    MESSAGE : ZRC=0x870F00BB=-2029059909=SQLO_QUE_NO_ACCESS
              "do not have the access right"
    DATA #1 : Hex integer, 4 bytes
    
    The db2hpu utility has been known to run into this problem, when
    run as a non-instance owner user.
    

Local fix

Problem summary

  • When db2audit is enabled, running db2hpu as non-instance owner
    results in EACESS entry in db2diag.log
    

Problem conclusion

  • Fixed in V9.5 fp8
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC74585

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    950

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-02-18

  • Closed date

    2011-07-11

  • Last modified date

    2011-07-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC75539

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R950 PSN

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
11 July 2011