IBM Support

IY87492: SECURITY: FENCED USERID INCORRECTLY ABLE TO ACCESS DIRECTORIES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Users Affected:
    External fenced routines on Unix platforms
    
    Without this APAR fix, the fenced userid may be able to access
    directories without proper authorization.
    
    In order to enable the fix, the DB2_LIMIT_FENCED_GROUP registry
    variable must be set to YES and db2updv9 must be run on all
    databases in the instance.
    Example:
    db2updv9 -d <dbname> -j
    db2set DB2_LIMIT_FENCED_GROUP=YES
    
    NOTE 1: db2updv9 -j will only fix the permissions necessary for
    this security feature.  No other changes to the database will be
    made.  If db2updv9 is run without the -j option, all the updates
    will be applied inlcuding the permissions necessary for the
    security feature.  Please see the DB2 Information Center for V9
    for more details on the db2updv9 tool.
    NOTE 2: Once db2updv9 has been run on all
    databases the registry variable may be set any time.
    
    After applying the DB2 registry variable, applications that
    assumed fenced user has authority to access directory may fail
    now. Customers need to evaluate the authority for fenced user
    and consider assigning appropriate groups to
    the fenced user if necessary.
    

Local fix

Problem summary

  • Users Affected: External fenced routines on Unix platforms
    
    Problems summary: Fenced userid incorrectly able to access
    directories. Without this APAR fix, the fenced userid may be
    able to access directories without proper authorization.
    

Problem conclusion

  • Problem was first fixed in DB2 Version 9.1 Fix Pack 2 (s070210)
    
     Please note that in v9.5 and higher it is not required to set
     DB2_LIMIT_FENCED_GROUP=Yes to enable thix fix as it is enabled
     automatically.  Any values set to DB2_LIMIT_FENCED_GROUP will
     be ignored on Unix platforms
    

Temporary fix

Comments

APAR Information

  • APAR number

    IY87492

  • Reported component name

    DB2 UDB ESE AIX

  • Reported component ID

    5765F4100

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-07-31

  • Closed date

    2007-02-22

  • Last modified date

    2011-02-25

  • APAR is sysrouted FROM one or more of the following:

    IY86711

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    DB2 UDB ESE AIX

  • Fixed component ID

    5765F4100

Applicable component levels

  • R910 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 February 2011