Sticky Bit

Mike

Moderator
Dear all,

We have progress production databases in a A server

version = progress91d
AIX version= 7.1

Unix Team Told us to change all directories with sticky bit, We are afraid to change..
As per my knowledge sticky bit issue is related to security (permissions to the directory).
One application is used by the my databases with different user id’s, in this situation we need full directory permissions.If we change anything in the structure we don’t which application will stop working.


AM I RIGHT ABOVE? PlEASE GIVE YOU VALAUABLE SUGGESTION IN THIS. ITS BIT URGENT.


With Regards,
Mike :)
 

TomBascom

Curmudgeon
Progress 9.1d is ancient, obsolete and unsupported. You should upgrade. Your data is at risk.

What specific command do they want you to run and on what directories?

In theory, many of your Progress executables should be owned by root and have their setuid bit set. This should allow them to open the necessary db files at startup as if "root" were the user. The session then "gives up" its special privileges and runs as the normal user. (The downside of that last step is the internal CONNECT statements may fail if the permissions are not open and a shared memory connection is attempted -- but your application may not do that, most do not).

You should try it on your test system and run through your suite of regression tests. Changes like this, even if they are theoretically benign, are very difficult to be sure of without thorough testing.
 

cj_brandt

Active Member
Most of the files in $DLC/bin/_* have the setuid bit set. You can look at the Progress KB to verify.

If the setuid bit isn't set for some of the progress executables, you can get errors when running some utilities. In our environment, if the setuid bit isn't set the following will return an error - proutil -C dbipcs
 

Mike

Moderator
so if we change directory with sticky bit is that no impact on business?

One application is used by the my databases with different user id’s, in this situation we need full directory permissions.

If we change anything in the structure we don’t which application will stop working. So please do the needful.

Now the server is stable, for future reference we can’t touch anything in the server.


Please clarify..
 

Mike

Moderator
so if we change directory with sticky bit is that no impact on business?

One application is used by the my databases with different user id’s, in this situation we need full directory permissions.

If we change anything in the structure we don’t which application will stop working. So please do the needful.

Now the server is stable, for future reference we can’t touch anything in the server.


Please clarify..
 

TomBascom

Curmudgeon
Two weeks ago I asked you "what specific command do they want you to run". You need to provide that clarification before you can expect a useful answer to your "urgent" question.
 

Mike

Moderator
Hi Mike,

The directories belongs to Operating System, Database and Applications only. As of now all the directories /files systems are having 777 permissions which is a high risk.


Please test it in test environment and observe the behavior, post that set the sticky on Prod Servers from 777 to 755.


P.S. SAP BASIS (125 Servers), UNFIY(40 Servers) and WPC(2 Servers) teams have set the sticky bit to 755 on their production servers.


Legend:

- 777 = RWXRWXRWX

- 744 = RWXR00R00

- 755 = RWXR0XR0X

Hence request you to Use the chmod o+t command to set the sticky bit for these directories for root as 777 and other groups should have 744 or 755.



Note : Owner (root)- should have full permissions i.e.DRWX

Groups – should have read / execute permissions i.e. D---R-X---

Others – should have read only or execute permissions i.e. D------R-X

Numerical permissions

Number

Permission

RWX

7

Full

111

6

Read and Write

110

5

Read and Execute

101

4

Read only

100

3

Write and Execute

11

2

Write only

10

1

Execute only

1

this mail i got from unix team after i sent mail to them "
It is legacy server and hence, we will not able to make any change which impact database / program."


please help me tom :-(
 
Top