By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,557 Members | 1,067 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,557 IT Pros & Developers. It's quick & easy.

Another Security Question for DB2 V8

P: n/a
Environment: DB2 Personal Editon V8 on Windows XP

I was doing some experiments with authorities and discovered some unexpected
behaviour. I had not yet touched the SYSADM_GROUP, SYSCTRL_GROUP, or
SYSMAINT_GROUP settings on a new instance, i.e. all three were blank when I
did "get dbm cfg". The only groups I had set up in Windows were the standard
Windows ones, like Administrator and Users.

I was rather surprised to find that when a user who was in the Windows
Administrators group attempted to access some tables in one of the
databases, she was able to do so. For example, Wilma, who belonged only the
Windows Administrators group and the Windows Users group, connected to one
of the databases with her own userid and password and was able to read the
data in one of the tables without having been granted any authority whatever
by me, the sole SYSADM.

I had the very strong impression that she was able to read the table simply
by virtue of being in the Administrators group, _even though I hadn't set up
ANY group as the SYSADM_GROUP, SYSCTRL_GROUP, or SYSMAINT_GROUP_!! (Another
user, Betty, who belonged only to the Users group, was NOT able to read the
same tables.)

Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??

This seems like a rather gaping security hole to me! If I am understanding
this correctly, I would be highly inclined to advise all DB2 administrators
on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl
immediately upon installing DB2 and make sure that their various DB2 users
belong _only_ to those groups. Am I going overboard or is that a reasonable
way to set things up?

--

Rhino

Dec 3 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Ian
rhino wrote:
>
Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??
Yes, this is correct. If you don't assign a specific group to
SYSADM_GROUP, then DB2 uses the Administrators group on the local machine.
This seems like a rather gaping security hole to me! If I am understanding
this correctly, I would be highly inclined to advise all DB2 administrators
on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl
immediately upon installing DB2 and make sure that their various DB2 users
belong _only_ to those groups. Am I going overboard or is that a reasonable
way to set things up?
I don't think this is a security hole by default, because it depends on
how tightly you control your administrators group. No doubt, it's very
common to find the DBA and Sys Admin be the same person, especially in
smaller shops that can't afford to staff them separately.

And even then, it's just a technicality. A Windows administrator could
simply add their ID (or any ID) to the group you've set up for
SYSADM_GROUP and have at the database. Or worse, just delete all of
the files associated with DB2, with no permission-diddling required.
Dec 3 '07 #2

P: n/a

"Ian" <ia*****@mobileaudio.comwrote in message
news:X0*************@newsfe10.phx...
rhino wrote:
>>
Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??

Yes, this is correct. If you don't assign a specific group to
SYSADM_GROUP, then DB2 uses the Administrators group on the local machine.
Okay, that's good. I wanted to make sure that I was reasoning this out
correctly and apparently I did.
>This seems like a rather gaping security hole to me! If I am
understanding this correctly, I would be highly inclined to advise all
DB2 administrators on Windows to set up groups explicitly for DB2 Sysadm,
Sysmaint and Sysctrl immediately upon installing DB2 and make sure that
their various DB2 users belong _only_ to those groups. Am I going
overboard or is that a reasonable way to set things up?

I don't think this is a security hole by default, because it depends on
how tightly you control your administrators group. No doubt, it's very
common to find the DBA and Sys Admin be the same person, especially in
smaller shops that can't afford to staff them separately.
Ok, fair enough....
And even then, it's just a technicality. A Windows administrator could
simply add their ID (or any ID) to the group you've set up for
SYSADM_GROUP and have at the database. Or worse, just delete all of
the files associated with DB2, with no permission-diddling required.
I see I don't have enough experience in thinking deviously; that simple ploy
didn't occur to me ;-)

Clearly, you have to be pretty sure of who you allow in the Administrators
group; if you can't trust someone in that group not to mess up your DB2
system, you need to remove him/her from the Administrators group!

--

Rhino
Dec 4 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.