Environment: DB2 Personal Editon V8 on Windows XP
I was doing some experiments with authorities and discovered some unexpected
behaviour. I had not yet touched the SYSADM_GROUP, SYSCTRL_GROUP, or
SYSMAINT_GROUP settings on a new instance, i.e. all three were blank when I
did "get dbm cfg". The only groups I had set up in Windows were the standard
Windows ones, like Administrator and Users.
I was rather surprised to find that when a user who was in the Windows
Administrators group attempted to access some tables in one of the
databases, she was able to do so. For example, Wilma, who belonged only the
Windows Administrators group and the Windows Users group, connected to one
of the databases with her own userid and password and was able to read the
data in one of the tables without having been granted any authority whatever
by me, the sole SYSADM.
I had the very strong impression that she was able to read the table simply
by virtue of being in the Administrators group, _even though I hadn't set up
ANY group as the SYSADM_GROUP, SYSCTRL_GROUP, or SYSMAINT_GROUP_!! (Another
user, Betty, who belonged only to the Users group, was NOT able to read the
same tables.)
Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??
This seems like a rather gaping security hole to me! If I am understanding
this correctly, I would be highly inclined to advise all DB2 administrators
on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl
immediately upon installing DB2 and make sure that their various DB2 users
belong _only_ to those groups. Am I going overboard or is that a reasonable
way to set things up?
--
Rhino
2  1495 
rhino wrote:
>
Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??
Yes, this is correct. If you don't assign a specific group to
SYSADM_GROUP, then DB2 uses the Administrators group on the local machine.
This seems like a rather gaping security hole to me! If I am understanding
this correctly, I would be highly inclined to advise all DB2 administrators
on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl
immediately upon installing DB2 and make sure that their various DB2 users
belong _only_ to those groups. Am I going overboard or is that a reasonable
way to set things up?
I don't think this is a security hole by default, because it depends on
how tightly you control your administrators group. No doubt, it's very
common to find the DBA and Sys Admin be the same person, especially in
smaller shops that can't afford to staff them separately.
And even then, it's just a technicality. A Windows administrator could
simply add their ID (or any ID) to the group you've set up for
SYSADM_GROUP and have at the database. Or worse, just delete all of
the files associated with DB2, with no permission-diddling required.
"Ian" <ia*****@mobileaudio.comwrote in message
news:X0*************@newsfe10.phx...
rhino wrote:
>>
Am I correct in believing that DB2's default behaviour in Windows is to
treat everyone in the Administrators group as a Sysadm, even though no
SYSADM_GROUP has been set within the instance??
Yes, this is correct. If you don't assign a specific group to
SYSADM_GROUP, then DB2 uses the Administrators group on the local machine.
Okay, that's good. I wanted to make sure that I was reasoning this out
correctly and apparently I did.
>This seems like a rather gaping security hole to me! If I am
understanding this correctly, I would be highly inclined to advise all
DB2 administrators on Windows to set up groups explicitly for DB2 Sysadm,
Sysmaint and Sysctrl immediately upon installing DB2 and make sure that
their various DB2 users belong _only_ to those groups. Am I going
overboard or is that a reasonable way to set things up?
I don't think this is a security hole by default, because it depends on
how tightly you control your administrators group. No doubt, it's very
common to find the DBA and Sys Admin be the same person, especially in
smaller shops that can't afford to staff them separately.
Ok, fair enough....
And even then, it's just a technicality. A Windows administrator could
simply add their ID (or any ID) to the group you've set up for
SYSADM_GROUP and have at the database. Or worse, just delete all of
the files associated with DB2, with no permission-diddling required.
I see I don't have enough experience in thinking deviously; that simple ploy
didn't occur to me ;-)
Clearly, you have to be pretty sure of who you allow in the Administrators
group; if you can't trust someone in that group not to mess up your DB2
system, you need to remove him/her from the Administrators group!
--
Rhino This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Manlio Perillo |
last post by:
Regards.
In the standard library there are two modules for command line
parsing: optparse and getopt.
In the Python Cookbook there is another simple method for parsing,
using a docstring.
...
|
by: bissatch |
last post by:
Hi,
I have been tryin to run free dhtml code from a web page. The web page
is:
http://dynamicdrive.com/dynamicindex14/pixelate.htm
When I load the page above it opens as normal and the...
|
by: christopher diggins |
last post by:
I have posted a C# critique at
http://www.heron-language.com/c-sharp-critique.html. To summarize I bring up
the following issues :
- unsafe code
- attributes
- garbage collection
-...
|
by: C#User |
last post by:
hi,
For the local sql server, the connection string is like:
Data Source=(local);Integrated Security=SSPI;Connection
Timeout=5;DataBase=northwind
But for another sql server on another domain,...
|
by: dale zhang |
last post by:
Hi,
I have the following private function in one page:
private string Connect()
{
string sConnect;
// this value could go directly in the Global.asax.vb declarations
switch...
|
by: Charles Leonard |
last post by:
I am having yet another issue with Windows Server 2003. This time, the web
service (a file import web service) appears to run except for one odd
message: "ActiveX component can't create object". ...
|
by: Bruno |
last post by:
I have a feature that is hosted on a different domain from the primary one
in a frame, and need to retain values in a cookie.
example: A web page at one.com contains a frame which has a page...
|
by: Ted |
last post by:
I am construvcting a number of databases, some of which contain
sensitive data and most of which do not. I am attempting to handle the
security issues involved in protecting sensitive data in part...
|
by: yoozioo |
last post by:
hello,
This year I'm learning C# at school and now we focus on web services.
I created and published a web service which contains a method that calls another web service written by my class...
|
by: CG |
last post by:
Hi
I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
