chris@vision.UUCP (Chris Davies) (04/05/90)
In article <1990Apr3.175133.12382@aqdata.uucp> sullivan@aqdata.uucp (Michael T. Sullivan) writes: >I (as root) created a project directory for people to work in. I >gave the directory group rwx permission. Somebody in the group tried >to create a database in the project directory. It didn't work. The Ah! On the version of Informix we've got here (2.10.03B on Altos 1000 SysV.3) it runs "setgid" - i.e. the effective group privileges for a user using Informix are often that of the Informix Group itself (not the user's group). When I tried the situation above, setting the group to "informix" and the permissions to group rwx, it worked perfectly. However, this then leads on to the possibility that _anyone_ could create a database in this directory :-( No, I've no quick'n'easy solution to that one! >error message (as usual) was no help. I got a funny feeling and >changed the ownership of the directory to that of the person creating >the database. Sure enough, that worked. Note that this person had Yes, this would work. Since the effective group id is Informix, the only way a user would be able to write something into that directory would be as the owner (unless others permissions was rwx too). Regards, Chris -- VISIONWARE LTD | UK: chris@vision.uucp JANET: chris%vision.uucp@ukc 57 Cardigan Lane | US: chris@vware.mn.org OTHER: chris@vision.co.uk LEEDS LS4 2LE | BANGNET: ...{backbone}!ukc!vision!chris England | VOICE: +44 532 788858 FAX: +44 532 304676 -------------- "VisionWare: The home of DOS/UNIX/X integration" --------------
aland@infmx.UUCP (Dr. Scump) (04/07/90)
In article <1990Apr3.175133.12382@aqdata.uucp> sullivan@aqdata.uucp (Michael T. Sullivan) writes: >I (as root) created a project directory for people to work in. I >gave the directory group rwx permission. Somebody in the group tried >to create a database in the project directory. It didn't work. The >error message (as usual) was no help. I got a funny feeling and >changed the ownership of the directory to that of the person creating >the database. Sure enough, that worked. Note that this person had >already mkdir'd several directories previously, so permission to >create directories was definitely there. I tried, but I can't reproduce this. If I have a directory /tmp/foo: 1 dr-xrwx--- 4 root CN 512 Apr 6 17:48 /tmp/foo and I belong to group CN, I can create a database there just fine (as me, not necessarily as root). Check to make sure your permissions in INFORMIXDIR aren't hosed. For example, $INFORMIXDIR/lib/sqlexec mode bits and permissions should be like this: file $INFORMIXDIR/lib/sqlexec: /usr/informix/lib/sqlexec: ... set-uid set-gid executable not stripped ls -lsgt $INFORMIXDIR/lib/sqlexec: 280 -rwsr-sr-x 1 root informix ... /usr/informix/lib/sqlexec >Has anybody else come across this? If not, you have been forewarned. >Note that this isn't a major problem, just an annoyance that the >manual page didn't mention. I'd consider it more than an annoyance ... if I could reproduce it. I tested using ISQL version 2.10.03B, which shouldn't be any newer than what you are running. I also tried it in 4.00 - no problem there, either. >Michael Sullivan uunet!jarthur!aqdata!sullivan -- Alan S. Denney @ Informix Software, Inc. "We're homeward bound aland@informix.com {pyramid|uunet}!infmx!aland ('tis a damn fine sound!) ----------------------------------------------- with a good ship, taut & free Disclaimer: These opinions are mine alone. We don't give a damn, If I am caught or killed, the secretary when we drink our rum will disavow any knowledge of my actions. with the girls of old Maui."
aland@infmx.UUCP (Dr. Scump) (04/07/90)
In article <427@mlacus.oz> nick@mlacus.oz (Nick Langmaid) writes: >We've experienced that problem here. The explanation we came up with Again, I can't reproduce the original referenced problem. If someone can give me a command sequence that does reproduce it, I'll check it out. >was that the Informix software spawns a task which changes its group >to "Informix", but preserves its userid. As a result, any group In a sense. Each front-end (ISQL, esql program, 4GL program, etc.) spawns an engine process which runs with uid=(user's uid) and gid=informix. That way, you don't have to mess with filesystem permissions for multiuser databases. Databases are always created w/ permissions 660, owner= creating user, group= informix. >permission you grant (other than to "Informix") are more or less >irrelevant. User permissions still apply. Huh? >I can't claim that this is a complete and accurate explanation, >because once we had a workaround we stopped looking at it. > >Hope this helps, >Nick Langmaid ACUS Tel: +61(3)823-1035 Fax: +61(3)267-4692 -- Alan S. Denney @ Informix Software, Inc. "We're homeward bound aland@informix.com {pyramid|uunet}!infmx!aland ('tis a damn fine sound!) ----------------------------------------------- with a good ship, taut & free Disclaimer: These opinions are mine alone. We don't give a damn, If I am caught or killed, the secretary when we drink our rum will disavow any knowledge of my actions. with the girls of old Maui."
rbp@investor.pgh.pa.us (Bob Peirce #305) (04/10/90)
In article <1073@vision.UUCP> chris@vision.UUCP (Chris Davies) writes: > >When I tried the situation above, setting the group to "informix" and the >permissions to group rwx, it worked perfectly. However, this then leads >on to the possibility that _anyone_ could create a database in this >directory :-( No, I've no quick'n'easy solution to that one! The grant command should take care of that. -- Bob Peirce, Pittsburgh, PA 412-471-5320 ...!uunet!pitt!investor!rbp rbp@investor.pgh.pa.us
chris@vision.UUCP (Chris Davies) (04/12/90)
In article <1990Apr10.143004.4720@investor.pgh.pa.us> rbp@investor.pgh.pa.us
(Bob Peirce #305) comments on my posting:
[me] When I tried the situation above, setting the group to "informix" and the
[me] permissions to group rwx, it worked perfectly. However, this then leads
[me] on to the possibility that _anyone_ could create a database in this
[me] directory :-( No, I've no quick'n'easy solution to that one!
[Bob] The grant command should take care of that.
Naa. I said database - not table. How can you use a GRANT command if you
don't even have a database yet? It's a Un*x permissions problem this time :-)
Chris
--
VISIONWARE LTD | UK: chris@vision.uucp JANET: chris%vision.uucp@ukc
57 Cardigan Lane | US: chris@vware.mn.org OTHER: chris@vision.co.uk
LEEDS LS4 2LE | BANGNET: ...{backbone}!ukc!vision!chris
England | VOICE: +44 532 788858 FAX: +44 532 304676
-------------- "VisionWare: The home of DOS/UNIX/X integration" --------------