The information contained in this solution allows the system administrator to maintain security at the UNIX level in the event that users have access to the operating system shell. In order for users to start a multi-user session for Progress, the following permissions should be maintained.
The Progress executables are stored in the bin subdirectory of the Progress installation directory. Upon a new installation, ownership and permissions are correct. After the installation of a Patch or Service Pack it's important that those are reset to their correct value, as the installation may alter them depending on the UMASK. Incorrect ownership and/or permissions can cause abnormal/unexpected behavior in the product. One of the first troubleshooting steps should be to always validate the ownership and permissions of all Progress executables are correct. The following permissions are provided as a general guideline. Security at the UNIX level can be tailored to site specific requirements and must be fully tested to assure execution and access to the OpenEdge Application environment is assured.
Progress executables:
The Progress executables should have read, write, and leverage of the group permissions for all the users that need access to the database files. If cannot use group permissions, consider the root to be the owners of the executables and enable setuid bit for users who are member of sudoer. This is accomplished with the following steps:
1. Log in as root or switch user to root
2. Move to the $DLC/bin directory
3. Change Ownership and permissions:
$ chown root _*
$ chmod 4755 _*
$ chmod 755 _sql*
$ chmod 755 _waitfor
An example of what the executable bits will look like:
-rwsr-xr-x 1 root sys 458926 Nov 13 2013 _mprosrv
-rwsr-xr-x 1 root sys 508210 Nov 13 2013 _mprshut
-rwsr-xr-x 1 root sys 1450549 Nov 13 2013 _progres
-rwsr-xr-x 1 root sys 823434 Nov 13 2013 _proutil
-rwxr-xr-x 1 root sys 8925383 Nov 13 2013 _sqlsrv2
-rwxr-xr-x 1 root sys 2040570 Nov 13 2013 _sqlload
-rwxr-xr-x 1 root sys 2045979 Nov 13 2013 _sqlschema
-rwxr-xr-x 1 root sys 96283 Nov 9 2013 _waitfor
The first position tells what kind of file it is:
If the file is defined as a normal or unknown file, it has a "-". Other file types are:
d - directory file
l - link file
t - link permission for directories
- The next 3 letters are permissions for the user.
- The next 3 letters are permissions for the user group.
- The next 3 letters are permissions for the other group (all users).
The first column shows permissions for the file:
r - read permission
w - write permission
x - execute permission
s - setuid bit set
The setuid bit:
- The setuid bit allows the user that executes the file to take on the permissions of the owner of the files while running executables.
- This allows individual users access to the database files while in Progress, but they cannot delete the files when in the UNIX shell.
- Further discussion and clarification from the OpenEdge perspective, are provided in the following Articles:
OpenEdge Database files:
To prevent users from deleting database files the following permissions are recommended. These pertain to connecting to the database and also using the "CONNECT" 4GL statement:
Permissions to the Directory where the database resides:
- The Directory should belong to root and have read, write, and execute permissions.
- The group should be set to the group assigned to the database users and should have read and execute permissions only.
- Other users should have no permissions set.
Example: Database Directory permissions:
drwxr-x--- 2 root support 1024 Nov 10 09:49 <directoryname>
Permissions to the database files:
- Database files (.db, .bi, .ai, .d etc) should be read and write only.
- Root should be the owner of the files
- The group should be set to the group assigned to the database users.
Example: Database File permissions:
drwxr-x--- 2 root support 1024 Nov 10 10:18 .
drwxrwxrwx 8 root root 1 024 Nov 10 09:49 ..
-rw-rw---- 1 root support 2228224 Dec 2 16:50 demo.b1
-rw-rw---- 1 root support 770048 Dec 2 16:50 demo.d1
-rw-rw---- 1 root support 32768 Dec 2 16:50 demo.db
-rw-rw---- 1 root support 443 Dec 2 16:50 demo.lg
-rw-rw---- 1 root support 31 Dec 2 16:50 demo.st
- The "." signifies the current working directory.
- The ".." signifies the parent directory or next higher directory.
With these permissions set:
- The combination of executable permissions and database permissions provides full functionality as well as the ability to provide security where needed..
- Only the root user and all users who are part of the group may access the database
- Only root can modify or delete the files from the UNIX shell (due to the directory permissions).
When the "CONNECT" statement is used with the use of a networked connection (using the -S and -H parameters), turning on read and write permissions for "other" is then not needed. Read and write for "owner" will then suffice.
Enabling 'other' people access to the database files is possible but if tighter security is needed then only allow database access to people who are part of the specified group.
