+

Search Tips | Advanced Search

IBM MQ file permissions in /opt/mqm with setuid for mqm

The following information covers the situation where your security team has flagged some of the executable IBM MQ files in the directory tree $MQ_INSTALLATION_PATH, in violation of local security policies. The default location in AIX is /usr/mqm and for the other UNIX operating systems is /opt/mqm. If we have installed IBM MQ in a non-default directory, such as /opt/mqm90, or if we have multiple installations, the details in this topic still apply.


Cause of the problem

Your security team has identified the following areas of concern under $MQ_INSTALLATION_PATH.Note: In the following examples "..." is used to shorten the output string.
  1. Files in /opt/mqm/bin,lib, and lib64 directories are setuid for the owner of the directory tree where they reside. For example:
    -r-sr-s--- 1 mqm  mqm  2...6  /opt/mqm/bin/amqcrsta_nd
-r-sr-sr-x 1 mqm  mqm  5...6  /opt/mqm/lib/amqccgsk
-r-sr-sr-x 1 mqm  mqm  6...6  /opt/mqm/lib64/amqccgsk
  2. User does not own files in /opt/mqm/lib/iconv directory. For example:
    -r--r--r-- 1 bin  bin  2...4  /opt/mqm/lib/iconv/002501B5.tbl
  3. Files in /opt/mqm/licenses are world-writable. For example:
    -rwxrwxrwx 1 mqm  mqm  5...6  /opt/mqm/licenses/English.txt
  4. Practically all the directories and files are owned by "mqm:mqm" except for the following, which are owned by root:
    .
$ ls -dl /opt/mqm/bin/security
dr-xr-x--- 1 root mqm 48 Jun 30 08:06 /opt/mqm/bin/security
$ ls -l /opt/mqm/bin/security
-r-sr-x--- 1 root mqm 16497 Jun 30 08:06 amqoamax
-r-sr-x--- 1 root mqm 17060 Jun 30 08:06 amqoampx


Resolving the problem

One of the concerns on UNIX with respect to setuid programs was that the system security could be compromised by manipulating environment variables such as LD* (LD_LIBRARY_PATH, LIBPATH on AIX, and so on). This is no longer a concern, as various UNIX operating systems now ignore these LD* environment variables when loading setuid programs.

In the case of AIX, the LIBPATH is ignored. Therefore, the setuid and setgid programs for IBM MQ are not really a concern.
  1. Why are some of the IBM MQ programs mqm-setuid or mqm-setgid?

    In IBM MQ, the user id "mqm" and any ID which is a part of the "mqm" group are the IBM MQ administrative users.

    IBM MQ queue manager resources are protected by authenticating against this user. Since the queue manager processes use and modify these queue manager resources, the queue manager processes require "mqm" authority to access the resources. Therefore, IBM MQ queue manager support processes are designed to run with the effective user-id of "mqm".

    To help non-administrative users accessing IBM MQ objects, IBM MQ provides an Object Authority Manager (OAM) facility, whereby authorities can be granted and revoked on the need of the application run by the non-administrative user.

    With the ability to grant different levels of authentications for users and the fact that setuid and setgid programs ignore LD* variables, the IBM MQ binary and library files do not compromise the security of your system in any way.

  2. Is it possible to change the permissions to satisfy the security policy of our enterprise without jeopardizing IBM MQ functionality?

    The answer is categorically NO.

    You should not change the permissions and ownerships of any of the IBM MQ binaries and libraries. IBM MQ functionality can suffer due to this kind of change, such that queue manager processes might fail to access some of the resources.

    Note that the permissions and ownerships do not pose any security threat to the system.

    For more information see IBM MQ file system permissions applied to /var/mqm.

  3. Why are the files under /opt/mqm/licenses world-writable?

    These are simple text files containing the "International Program License Agreement", which is not read or used by any of the queue manager processes, so these are not a security threat.

    To summarize:

    • IBM MQ setuid and setgid programs do not cause any security threat to the system.
    • Permissions and ownerships of these files should not be modified.
  4. There are two cases which need to be discussed separately:
    1. The subdirectory "maintenance" is used to store a backup of files after a Fix Pack is applied. The subdirectory tree needs to be owned by root.
    2. The $MQ_INSTALLATION_PATH/bin/security subdirectory was added in IBM MQ Version 8.0.

      This subdirectory needs to be owned by root, because these are the executable files that interact with the operating system when the user from an IBM MQ client specifies a password, and this password is passed by the IBM MQ queue manager to the operating system to confirm if the password is valid or is not valid.