Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read

End of Support Dates
IDS 11.10 - 30 Sep 2012
Subscribe to notifications

IIUG on Facebook IIUG on Twitter

[ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum

Re: Odd situation - SETUID fail

Posted By: Jonathan Leffler
Date: Saturday, 4 April 2009, at 12:18 p.m.

On Fri, Apr 3, 2009 at 10:02, <cesar_inacio_martins@yahoo.com.br> wrote:
> This is a very specific and odd situation, I already discover the
> workaround (odd too), but I like to try understand the real origin of the
> problem, if anybody have a explanation, I appreciate..
> In small talk , the problem are with SETUID effect ( or not effect in this
> case).
> For me , appear be a Bug on OpenSuse (kernel or glibc).
> I install OpenSuse 11.1 on my new notebook and update the packages and
> patches,

Relatively unlikely to be a bug in OpenSuSE; that is an audacious
claim and would need more backing than what you've shown here (though
what you've shown is interesting).

> | cmartins@note-cim:~> uname -a
> | Linux note-cim 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686
> i386 GNU/Linux
> | cmartins@note-cim:~> rpm -q glibc
> | glibc-2.9-2.11.1
>
> After that I install IDS 11.5 UC3 Developer Edition and try to initialize
> it with very basic configuration.
> When I execute the "oninit -iv" with user "informix" I got this (pay
> attention to ">" ):
>
> | informix@note-cim:~> oninit -ivy
> | Checking group membership to determine server run mode...succeeded
> | Reading configuration file
> '/opt/IBM/ids1150uc3de/etc/onconfig.idsmoon'...succeeded
>>| Creating /INFORMIXTMP/.infxdirs...FAILED

So, it appears that for some reason, oninit does not have sufficient
privileges to create /INFORMIXTMP.
I checked on my Solaris machine; if /INFORMIXTMP does not exist, it is
created. For some reason as yet unexplained, your system was unable
to create it.

> | Creating infos file
> "/opt/IBM/ids1150uc3de/etc/.infos.idsmoon"...succeeded
> | Linking conf file "/opt/IBM/ids1150uc3de/etc/.conf.idsmoon"...succeeded
> | Checking config parameters...succeeded
> | Writing to infos file...succeeded
> | Allocating and attaching to shared memory...succeeded
> | Creating resident pool 10570 kbytes...succeeded
> | Allocating 100016 kbytes for buffer pool of 2K page size...succeeded
> | Initializing rhead structure...succeeded
> | Initialization of Encryption...succeeded
> | tail: cannot open `$INFORMIXDIR/log/online.log' for reading: No such file
> or directory

You're supposed to have the online.log file already created before running IDS.

> | touch: cannot touch `/INFORMIXTMP/.idsmoon.alarm': No such file or
> directory

That's a consequential failure.

>>| awk: cmd. line:1: fatal: cannot open file `/INFORMIXTMP/.idsmoon.alarm'
>> for reading (No such file or directory)
>>| mv: cannot move `/tmp/.idsmoon.alarm_9782' to
>> `/INFORMIXTMP/.idsmoon.alarm': No such file or directory
>>| SENDER IS NULL NO MAIL WILL BE SENT
>>| /opt/IBM/ids1150uc3de/etc/alarmprogram.sh[517]:
>> /INFORMIXTMP/.idsmoon.alarm: cannot create [No such file or directory]

More consequential failures.

> | WARNING: server initialization failed, or possibly timed out (if -w was
> used).
> | Check the message log, online.log, for errors.
>
>
>
> Here is the log
>
> | informix@note-cim:/opt/IBM/ids1150uc3de/log> cat online.log
> | 17:33:43 IBM Informix Dynamic Server Started.
> | 17:33:43 Warning: The IBM IDS Developer Edition license restriction
> limits
> | 17:33:43 the total shared memory size for this server to 1048576 KB.
> | 17:33:43 The size has been reset to the limit to bring up the database
> server.
>>| 17:33:44 Could not disable priority aging: errno = 13
> | Wed Apr 1 17:33:44 2009
>>| 17:33:44 Error: Unable to reset open files limit, must run as super-user
> | 17:33:44 Event alarms enabled. ALARMPROG =
> '/opt/IBM/ids1150uc3de/etc/alarmprogram.sh'
>>| 17:33:44 Assert Failed: net_init.c, line 321, thread 1, errno=13, error
>> in creating /INFORMIXTMP.

errno 13 ENOPERM Permission denied.

> | 17:33:44 IBM Informix Dynamic Server Version 11.50.UC3DE
> | 17:33:44 Who: Session(0, @, 0, (nil))
> | Thread(1, main_thread, 0, 1)
> | File: neterrb.c Line: 658
> | 17:33:44 stack trace for pid 9819 written to
> /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8
> | 17:33:44 See Also: /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8,
> shmem.3e9cfa8.0
> | 17:33:47 neterrb.c, line 658, thread 1, proc id 9819, net_init.c, line
> 321, thread 1, errno=13, error in creating /INFORMIXTMP..
> | 17:33:47 PANIC: Attempting to bring system down

I'm not convinced that it should be giving an AF - that's a bug in
IDS. It can decide not to run; that's legitimate. But it should not
give an AF.

> Searching for errno 13 in the /usr/include/asm-generic/errno-base.h
> | #define EACCES 13 /* Permission denied */
>
> So, for me this appear be a problem with SETUID on binaries , but, when I
> look them , are all ok!
>
> | informix@note-cim:/opt/IBM/ids1150uc3de/log> ls -l $INFORMIXDIR/bin/on*
[...]
> | -rwsr-sr-- 1 root informix 15854167 2009-03-30 16:04
> /opt/IBM/ids1150uc3de/bin/oninit
[...]

Those are the correct permissions. Questions arising:
* Is the /opt file system mounted with SUID and SGID disabled?

> If I try initialize with "root" the /INFORMIXTMP is created , but others
> problems appears:
>
> | 17:39:29 IBM Informix Dynamic Server Version 11.50.UC3DE Software Serial
> Number AAA#B000000
> | 17:39:29 The chunk '/ifmxdados/L_rootdbs.ch1' must have owner-ID
> "informix" and group-ID "root".

That is an odd error message. Which group is listed for user informix
in the /etc/passwd file (or equivalent)? If the group is 0 rather
than informix, then you have 'officially' misconfigured your machine;
the primary group for user informix (the one listed in /etc/passwd)
must be group informix (because the server takes a short-cut and
assumes that the group listed in /etc/passwd for user informix is
group informix). It is a bug on my list of 'to be fixed one day - but
it does not hurt anyone'. However, the second half of the sentence
might be shown to be incorrect.

> Insisting to use with "root" , after change the group-id of the chunk ,
> apparently all appears works fine and the instance are initialized, when I
> try to use onstat with "informix" user, this occur:

> | informix@note-cim:~> onstat -
> | onstat: Shared memory: permission denied.
> |
> | root@note-cim:~# ipcs -mc
> | ------ Shared Memory Segment Creators/Owners --------
> | shmid perms cuid cgid uid gid
>>| 1343488 660 root root root root
>>| 1376257 660 root root root root

So the shared memory segments are created by root, not informix. And
SGID informix programs won't be able to attach to the shared memory.
The group problem could again be related to the password file entry.

> So, to resolve the situation I wrote the C code below , and finally , this
> way use the IDS on my note:

> | cmartins@note-cim:~/fontes/c> cat myexec.c
> | #include <stdio.h>
> | #include <unistd.h>
> | #include <stdlib.h>
> |
> | int main(int argc, char *argv[] ) {
> | if ( argc != 4 ) {
> | printf("\nInvalid Parameters!\nsyntax: [uid] [gid] [command]\n\n");
> | exit(1) ;
> | }
> | int i;
> | printf("argc = %i\n", argc );
> | for (i = 0 ; i <= argc-1 ; i++) printf("\targ %i = %s\n", i, argv[i]);
> |
> | printf( "\nSetting Effective UID = %s GID = %s\n", argv[1], argv[2]);
> | setregid(atoi(argv[2]),atoi(argv[2])); // define real/effective groups
> | //setreuid(0,atoi(argv[2])); // define effective user
> | printf("Effective / Real UID/GID defined:\n");
> | printf("uid=%i \t gid=%i \t euid=%i \t egid=%i \n\n", getuid(),
> getgid(), geteuid(), getegid());
> |
> | printf("Executing %s\n", argv[3] );
> | system(argv[3]);
> | }
> |
> | cmartins@note-cim:~/fontes/c> gcc myexec.c -o myexec
> | cmartins@note-cim:~/fontes/c> exit
> | logout
> |
> | root@note-cim:~# cp /home/cmartins/fontes/c/myexec /usr/local/bin
> | `/home/cmartins/fontes/c/myexec' -> `/usr/local/bin/myexec'
> | root@note-cim:~# chmod ug+s,o+rx /usr/local/bin/myexec
> | root@note-cim:~# ls -l /usr/local/bin/myexec
> | -rwsr-sr-x 1 root root 11099 2009-04-03 10:34 /usr/local/bin/myexec
> |
> | root@note-cim:~# . env.idsmoon
> | root@note-cim:~# id informix
> | uid=1001(informix) gid=1000(informix) groups=16(dialout),33(video),1000(informix)

That seems to deny the 'informix is listed in root group' theory.

It leaves us with:
* Is /opt a separate mounted file system with SUID and SGID disabled?
* Is there something weird about /INFORMIXTMP or the permissions (ACLs?) on /

Since you were creating and removing /INFORMIXTMP, it probably isn't
that. (To reproduce the crash, though, we may have to create a file
or device called /INFORMIXTMP so that the creation of
/INFORMIXTMP/.infxdirs fails.) Are you using ACLs at all? Could your
system be doing so without you knowing? Would ACLs prevent a
root-owned process from working?

Also, Linux has another UID, the fsuid or file system uid (see
setfsuid()). I wonder if that is being affected somehow?

Finally (for now), there are, I believe, some authority-based
mechanisms called capabilities
(http://linuxreviews.org/man/capabilities/) for controlling users. I
wonder if any of those are being applied to root, somehow?

> | root@note-cim:~# myexec 1001 1000 "oninit -iyv"
> | argc = 4
> | arg 0 = myexec
> | arg 1 = 1001
> | arg 2 = 1000
> | arg 3 = oninit -iyv
> |
> | Setting Effective UID = 1001 GID = 1000
> | Effective / Real UID/GID defined:
> | uid=0 gid=1000 euid=0 egid=1000
> |
> | Executing oninit -iyv
> | ...
>
> | informix@note-cim:~# ps -fC oninit
> | UID PID PPID C STIME TTY TIME CMD
>>| informix 5025 1 0 10:14 ? 00:00:12 oninit -iyv
> | root 5026 5025 0 10:14 ? 00:00:00 oninit -iyv
> | root 5027 5026 0 10:14 ? 00:00:00 oninit -iyv
> | root 5028 5026 0 10:14 ? 00:00:00 oninit -iyv
> | root 5029 5026 0 10:14 ? 00:00:00 oninit -iyv
> | root 5031 5026 0 10:14 ? 00:00:00 oninit -iyv
> | root 5032 5026 0 10:14 ? 00:00:00 oninit -iyv
> | root 5033 5026 0 10:14 ? 00:00:00 oninit -iyv
> | informix@note-cim:~# ipcs -mc
> |
> | ------ Shared Memory Segment Creators/Owners --------
> | shmid perms cuid cgid uid gid
>>| 1605632 660 root informix root informix
>>| 1638401 660 root informix root informix
> |
> | informix@note-cim:~> onstat -
> |
> | IBM Informix Dynamic Server Version 11.50.UC3DE -- On-Line -- Up 00:33:36
> -- 144144 Kbytes
>
> And to shutdown the instance I need to use the "myexec" otherwise if I try
> shut with "informix" user the shared memory is not released.
>
> So, anyone have a explanation for this???

Nothing definitive - lots of questions.

However, I stand by my initial observation - the problem is more
likely to be setup than a bug in the o/s per se. It is extremely
unlikely to be such a fundamental bug in the o/s.

At this point, I'm inclined to think that /opt may be mounted with
SUID and SGID disabled. But that's speculation. Check by running
'mount' (no arguments).

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2008.0513 -- http://dbi.perl.org/
"Blessed are we who can laugh at ourselves, for we shall never cease
to be amused."
NB: Please do not use this email for correspondence.
I don't necessarily read it every week, even.
Bob Hope - "You know you are getting old when the candles cost more
than the cake."

[ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum is maintained by Administrator with WebBBS 5.12.