Salesforce

CONNECT statement errors with 1136

Printable View
« Go Back

Information

 
TitleCONNECT statement errors with 1136
URL NameP17044
Article Number000117517
EnvironmentProgress 9.x
OpenEdge 10.x, 11.x
UNIX
Linux
Question/Problem Description
Error (1136) occurs when connecting to the database after having started the Progress client.

For example, by using the 4GL CONNECT statement or connecting to the database via the Data Dictionary.
Steps to Reproduce
Clarifying Information
Cannot connect to database using CONNECT statement.
Can connect from command line using mpro dbname.
The setuid bit is enabled for all progress executables ( _ files ) except for _waitfor and _sqlsrv2.
Error MessageSYSTEM ERROR: Shared memory access permission denied (1136)
Defect NumberDefect OE00085546
Enhancement Number
Cause
Database file permissions have not been set correctly.

This is expected behaviour and is the result of security changes made in 9.1D.  Additional protection has been placed on shared memory to protect our shared memory from attacks.
Resolution
Although the client has setuid on, the actual user of the process is changed from root to the actual user as soon as initial database connections have been performed.  All databases specified on the command line can be connected to because the client is running as root.

4GL program execution is performed after the process has been "downgraded" from root, i.e. they are NOT run as root.  If the user running the program
does not have access to the database he/she will not have access to the shared memory for that database. 

When a server is started, the ownership of the shared memory is changed so that it mimics the .db file.  This is a change from the 9.1B method.  If a regular user has full access to the .db file they will implicitly have full access to the shared memory for the database.  If a particular group has full access to a database and its shared memory, a member of that group may have full access as well.

There are a few potential solutions for this problem:

1. Specify all database names on the mpro command line using -db for each.
2. Grant a group rights to the database and make all users that need access to the database members of that group.
3. Use client/server to connect to the database in question.  Since a server is already connected to the database it has access to the shared memory.  

NOTE: Restart the database broker to make sure the permissions that are set for the database are the ones used by the broker process. 
Workaround
Notes
References to other documentation:

Progress Article(s):
Progress and UNIX Permissions
Keyword Phrase
Last Modified Date11/20/2020 7:36 AM
Powered by