 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion Groups Database Servers DB2InformixIngresMS SQLOraclePervasive.SQLPostgreSQLProgressSybaseDesktop Databases FileMakerFoxProMS AccessParadoxGeneral General DB TopicsDatabase TheoryRelated Topics Java Development.NET DevelopmentVB DevelopmentMore Topics ... |
Database Forum / DB2 Topics / December 2007Another Security Question for DB2 V8
Environment: DB2 Personal Editon V8 on Windows XP I was doing some experiments with authorities and discovered some unexpected behaviour. I had not yet touched the SYSADM_GROUP, SYSCTRL_GROUP, or SYSMAINT_GROUP settings on a new instance, i.e. all three were blank when I did "get dbm cfg". The only groups I had set up in Windows were the standard Windows ones, like Administrator and Users. I was rather surprised to find that when a user who was in the Windows Administrators group attempted to access some tables in one of the databases, she was able to do so. For example, Wilma, who belonged only the Windows Administrators group and the Windows Users group, connected to one of the databases with her own userid and password and was able to read the data in one of the tables without having been granted any authority whatever by me, the sole SYSADM. I had the very strong impression that she was able to read the table simply by virtue of being in the Administrators group, _even though I hadn't set up ANY group as the SYSADM_GROUP, SYSCTRL_GROUP, or SYSMAINT_GROUP_!! (Another user, Betty, who belonged only to the Users group, was NOT able to read the same tables.) Am I correct in believing that DB2's default behaviour in Windows is to treat everyone in the Administrators group as a Sysadm, even though no SYSADM_GROUP has been set within the instance?? This seems like a rather gaping security hole to me! If I am understanding this correctly, I would be highly inclined to advise all DB2 administrators on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl immediately upon installing DB2 and make sure that their various DB2 users belong _only_ to those groups. Am I going overboard or is that a reasonable way to set things up? -- Rhino > Am I correct in believing that DB2's default behaviour in Windows is to > treat everyone in the Administrators group as a Sysadm, even though no > SYSADM_GROUP has been set within the instance?? Yes, this is correct. If you don't assign a specific group to SYSADM_GROUP, then DB2 uses the Administrators group on the local machine. > This seems like a rather gaping security hole to me! If I am understanding > this correctly, I would be highly inclined to advise all DB2 administrators > on Windows to set up groups explicitly for DB2 Sysadm, Sysmaint and Sysctrl > immediately upon installing DB2 and make sure that their various DB2 users > belong _only_ to those groups. Am I going overboard or is that a reasonable > way to set things up? I don't think this is a security hole by default, because it depends on how tightly you control your administrators group. No doubt, it's very common to find the DBA and Sys Admin be the same person, especially in smaller shops that can't afford to staff them separately. And even then, it's just a technicality. A Windows administrator could simply add their ID (or any ID) to the group you've set up for SYSADM_GROUP and have at the database. Or worse, just delete all of the files associated with DB2, with no permission-diddling required. >> Am I correct in believing that DB2's default behaviour in Windows is to >> treat everyone in the Administrators group as a Sysadm, even though no >> SYSADM_GROUP has been set within the instance?? > > Yes, this is correct. If you don't assign a specific group to > SYSADM_GROUP, then DB2 uses the Administrators group on the local machine. Okay, that's good. I wanted to make sure that I was reasoning this out correctly and apparently I did. >> This seems like a rather gaping security hole to me! If I am >> understanding this correctly, I would be highly inclined to advise all [quoted text clipped - 7 lines] > common to find the DBA and Sys Admin be the same person, especially in > smaller shops that can't afford to staff them separately. Ok, fair enough.... > And even then, it's just a technicality. A Windows administrator could > simply add their ID (or any ID) to the group you've set up for > SYSADM_GROUP and have at the database. Or worse, just delete all of > the files associated with DB2, with no permission-diddling required. I see I don't have enough experience in thinking deviously; that simple ploy didn't occur to me ;-) Clearly, you have to be pretty sure of who you allow in the Administrators group; if you can't trust someone in that group not to mess up your DB2 system, you need to remove him/her from the Administrators group! -- Rhino |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.