IBM Support

IY86711: SECURITY: FENCED USERID INCORRECTLY ABLE TO ACCESS DIRECTORIES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Users Affected: External fenced routines on Unix platforms
    
    Without this APAR fix, the fenced userid may be able to access
    directories without proper authorization.
    
    In order to enable the fix, the DB2_LIMIT_FENCED_GROUP registry
    variable must be set to YES and db2updv8 must be run on all
    databases in the instance.
    
    Example:
      db2updv8 -d <dbname> -j
      db2set DB2_LIMIT_FENCED_GROUP=YES
    
    NOTE 1: db2updv8 -j will only fix the permissions necessary for
    this security feature.  No other changes to the database will be
    made.  If db2updv8 is run without the -j option, all the updates
    will be applied inlcuding the permissions necessary for the
    security feature.
    NOTE 2: Once db2updv8 (on V8 FP14 or later) has been run on all
    databases the registry variable may be set any time.
    
    After applying the DB2 registry variable, applications that
    assumed fenced user has authority to access directory may fail
    now. Customers need to evaluate the authority for fenced user
    and consider assigning appropriate groups to the fenced user if
    necessary.
    

Local fix

Problem summary

  • Users Affected: External fenced routines on Unix platformsd.
    Problems summary: Fenced userid incorrectly able to access
    directories. Without this APAR fix, the fenced userid may be
    able to access directories without proper authorization.
    

Problem conclusion

  • First Fixed in DB2 UDB Version 8.1 fixpack 14.
    (also known as Version 8.2 Fixpak 7)
    
    
    Please note that in v9.5 and higher it is not required to set
    DB2_LIMIT_FENCED_GROUP=Yes to enable thix fix as it is enabled
    automatically.  Any values set to DB2_LIMIT_FENCED_GROUP will
    be ignored on Unix platforms
    

Temporary fix

Comments

  • .
    If FP14 has not been applied yet to the instance, then first
    install one of the fixpaks that contains IY86711 ( fixpak 14
    or higher). After the fixpak is installed use:
       db2updv8 -d dbname -j
    Next, set the DB2_LIMIT_FENCED_GROUP=YES registry variable.
    .
    For databases and database objects created using DB2 V8 FP14 and
    later the permissions for these database objects are already
    set to have the correct permissions described in IY86711 and
    only setting the DB2_LIMIT_FENCED_GROUP=YES registry variable on
    your system is required to correct this security vulnerability.
    .
    

APAR Information

  • APAR number

    IY86711

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    820

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-07-06

  • Closed date

    2006-11-30

  • Last modified date

    2011-02-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IY87492

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R820 PSN

       UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"820","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 January 2022