Security requirements for Linux and UNIX platforms

View a summary of the authorizations in a Linux® or UNIX® environment.

User is... Linux or UNIX domain
Creating a component
  • Member of mqbrkrs and mqm.
  • When root is used to issue the create command, it can nominate any user to run the component.
Installing
  • Superuser.
Uninstalling
  • Superuser.
Changing a component
  • Member of mqbrkrs.
Deleting a component
  • Member of mqbrkrs and mqm.
Start of changeStarting a component, or verifying a broker or Configuration ManagerEnd of change Start of change
  • Member of mqbrkrs.
  • Member of mqm.
End of change
Stopping a component
  • Member of mqbrkrs.
  • The user ID must either be root, or the same as the user ID that started the component.
  • Member of mqm if -q is specified.
Listing a component
  • Member of mqbrkrs.
Changing, displaying, retrieving trace information.
  • Member of mqbrkrs.
Running User Name Server (login ID).
  • Member of mqbrkrs. The User Name Server runs under the login ID specified in the create command.
Running broker (WebSphere® MQ non-trusted application) (login ID).
  • Member of mqbrkrs.
  • The broker runs under the login ID that started it.
  • If root started the component then the broker runs under the login ID specified as the service ID in the create command.
Running broker (WebSphere MQ trusted application) (login ID).
  • Login ID must be mqm.
  • mqm must be a member of mqbrkrs.
Clearing, joining, listing WebSphere MQ publish/subscribe brokers.
  • Member of mqbrkrs.
Running publish/subscribe applications.
  • Any user, subject to topic and WebSphere MQ queue access control.

When the service user ID is root, all of the libraries loaded by the broker, including all of the user-written plug-in libraries and all of the shared libraries that they might access, also have root access to all of the system resources (for example, file sets). Review and assess the risk involved in granting this level of authorization.

Related concepts
Security for runtime resources: Access control lists
Related tasks
Configuring security for domain components
Setting up broker domain security
Enabling topic-based security
Related reference
mqsicreateaclentry command
mqsideleteaclentry command
mqsilistaclentry command
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:49

ap08682_