Hello T.Rob,
I do not believe it is possible unless you are root. The way for the process to change
its group id is to change the memory in the process header belonging to the kernel
(there is no Unix system call for that -- at least I am not aware; setgid() issued by
a non-root user will only change to saved or real group id). This can only be done by
root, and the way for the process belonging to the regular user to promote to the root
is to exec setuid-ed command -- and after exec() there is no way back :-). newgrp is
such a setuid-ed trusted command.
Of course it is possible for root to change any memory inside another process (risking
race condition) and, there are even some system-dependent ways to do it "safe": in
Solaris, for example, you can write a PCSCRED message to the process's 'ctl' file --
but, again, you have to be root.. You can write a program using such method and clear
it with your Unix Administration for installing as a trusted executable -- whether you
try to do it or not usually depends on how badly you need it. :-) To be 'safe', such
program might, for example, read '/etc/group' file and make sure one of uid's (or just
effective uid) of the process actually belongs to the the group you want to change to.
Hope this will help,
Pavel
"Wyatt, T. Rob"
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
MERICA.COM> cc:
Sent by: MQSeries Subject: Re: MQ Security data in
SYSTEM.AUTH.DATA.QUEUE
List
<[EMAIL PROTECTED]
C.AT>
04/05/2004 10:31 AM
Please respond to
MQSeries List
Rao,
Use the "id" command to display your currently set active group. This should be the
group that is used to make the second entry. Try doing a "newgrp" to change your
active group before creating the queue and see if it makes the second entry in the
newly selected group. If you "newgrp mqm" there should be no second entry.
If you create your queues from script files, you cannot simply add a "newgrp mqm"
command to the file. Doing a newgrp always results in a new shell that ignores the
rest of the script. If anyone knows of a syntax that allows execution of newgrp from
within a script, please let me know!
-- T.Rob
-----Original Message-----
From: Adiraju, Rao [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 04, 2004 5:51 PM
To: [EMAIL PROTECTED]
Subject: MQ Security data in SYSTEM.AUTH.DATA.QUEUE
I am trying to analyse the entries in the above queue on SOLARIS platform with
MQ V5.3 CSD6.
What I am noticing is when I create an object such as local queue, MQ by
default, is generating two authorisation entries - one for "mqm" group and another for
one of my other group-ids but not all the groups that I belong to.
On this particular box my user-id is connected to three groups - mqm, group1,
group2. Where as MQ is creating authorisation entries for mqm and group1 but NOT
group2.
Where as if I do "sudo su - mqm" and create an object, then I can see only one
authorisation entry for "mqm" group.
Similarly when a solaris administrator logs on as "root" and create objects, I
see only two entries - one for "mqm" and another for "other". Even here the "root" is
associated with more than these two groups.
Looks like it is always generating TWO entries - one for "mqm" and another for
one of the associated groups (but not all and in what order it selects - beats me).
Appreciate if anybody can throw some light on how it works.
Is the behaviour is same on Windows platform (I am still analysing it but at the
outset doesn't look like the same).
And also appreciate any advise on how to clean up all other entries barring
"mqm" group. I am thinking of unloading these entries in to a txt file, delete
unwanted entries and load back. Then the plan is to grant controlled access to the
users.
Cheers
Rao
This communication is confidential and may contain privileged material. If you
are not the intended recipient you must not use, disclose, copy or retain it. If you
have received it in error please immediately notify me by return email and delete the
emails.
Thank you.
--
This e-mail may contain confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
