| Author |
Message
|
| sunny_30 |
 Posted: Wed Jul 23, 2014 8:01 am Post subject: Can chlauth prevent altusr as mqm |
 |
|
Master
Joined: 03 Oct 2005
Posts: 258
|
If the QM is assigned altusr access for a non-admin MCA user (set on svrconn chl), can the client application be able to alternate user to mqm to gain MQ-admin access ?
In that case, IF there is a Chlauth rule, to prevent *MQADMIN access, will it prevent such a scenario from happening? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jul 23, 2014 4:08 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
What have you tried, what were the results? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sunny_30 |
| Posted: Wed Jul 23, 2014 9:16 pm Post subject: |
|
|
Master
Joined: 03 Oct 2005
Posts: 258
|
| Hi. I work on the admin side and wasnt really able to write a program to try the altusr part. Thats why I asked the question here to see if anyone knows |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jul 24, 2014 3:07 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
Do yourself a favor and get MO71 from MQGem. Even if you have to pay for a single user license from your own pocket. It will make you a better MQ Admin - promise.
One of the features is an MQ API Exercisor that allows you to pretend to be an app and set every and I mean every option for every MQ API call. I use it often to see how an app would react. You could use this to answer your question, which is a very good question by the way.
I was going to respond by posting a link that addresses your question, but I could not find anything. My feeling is that CHLAUTH rules are used on the connection by the channel. Once you are connected, CHLAUTH is no longer involved. So by the time you choose to use altuser on the MQOPEN call, CHLAUTH has no role. I'm only about 90% confident in this answer, though.
I think this is a good question that should be specifically addressed by IBM by either a Technote or an update to the Knowledge Center. But a post from Morag will suffice too 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 24, 2014 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I agree with Peter that CHLAUTH only applies at MQCONN, not any time after that.
So if you connect as User ABC, and then use altusr to send messages to the command server queue as user MQM with altusr, then the only thing that would stop you doing that is AUTHRECs/setmqaut.
I thought the general opinion was that altusr was a bad idea and it should be disabled as a rule? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 24, 2014 5:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| ...I thought the general opinion was that altusr was a bad idea and it should be disabled as a rule? |
According to the Security Redbook, "...The following OAM authorities should not be granted for security profiles on objects that are used by applications..." and lists +altusr as one of them, although it does qualify it with a legitimate scenario as to why it can be used, but limited to only those queues requiring it; I certainly wouldn't allow it to any SYSTEM queues!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jcv |
| Posted: Mon Sep 22, 2014 12:05 pm Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| How would you actually limit that? If you grant that permission it can be used for opening any queue on a qmgr. |
|
| Back to top |
|
|
| jcv |
| Posted: Mon Sep 22, 2014 9:48 pm Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| I mean for non admin users that you let in via shared memory. The answer to the original chlauth question I will check soon by myself as suggested by Peter via api excersizer. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 23, 2014 2:23 am Post subject: Re: Can chlauth prevent altusr as mqm |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| sunny_30 wrote: |
If the QM is assigned altusr access for a non-admin MCA user (set on svrconn chl), can the client application be able to alternate user to mqm to gain MQ-admin access ?
In that case, IF there is a Chlauth rule, to prevent *MQADMIN access, will it prevent such a scenario from happening? |
The CHLAUTH BLOCKUSER *MQADMIN rule blocks any connection time setting that ends up with MCAUSER set to a privileged user. If your resultant MCAUSER is granted +altusr or indeed +all, this does not constitute it being privileged.
Use of AlternateUser Authority happens on an MQOPEN or MQSUB, which is long after the connection has been made, and as a result CHLAUTH rules have already done their job.
Happily, the setting of +altusr is something that you have control over at the queue manager and can avoid granting it to users that don't require it.
As a z/OS user, I much prefer the way alternate user works on that platform, in that you have alternate user authority to pretend to be a particular user, not to be any user, i.e. you have access to profile called
| Code: |
| qmgr.ALTERNATE.USER.userid |
I wonder if there are any RFEs for that same feature on the distributed platforms?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 23, 2014 3:31 am Post subject: Re: Can chlauth prevent altusr as mqm |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Hughson wrote: |
| ...I wonder if there are any RFEs for that same feature on the distributed platforms? |
Is that a hint? 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 23, 2014 3:33 am Post subject: Re: Can chlauth prevent altusr as mqm |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| exerk wrote: |
| Hughson wrote: |
| ...I wonder if there are any RFEs for that same feature on the distributed platforms? |
Is that a hint? |
I couldn't possibly comment
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Sep 23, 2014 3:40 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Shouldn't that be
Nudge, nudge, wink, wink, say no more?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| jcv |
| Posted: Tue Sep 23, 2014 9:32 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
Perhaps they could have implemented altusr on a queue level, instead of on a qmgr level, or with possibility to actually control which alternate user is set
(to prevent elevation of privileges). Although I don't know would that change anything with respect to recommendations given in that Security Redbook:
"Avoid use of put authority context on channels" and "Avoid alternate user ID" |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Sep 23, 2014 10:45 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
I'm pretty sure altusr only allows the reduction of privileges from the effective user to the alternate one (you could test this).
For instance, a channel will run as mqm (or the service ID of MQ) but if you put an ID in the MCAUSER, that is used as an alternate ID and will only do what that ID is authorized to do. Not what mqm can do.
Example 1 |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 23, 2014 12:00 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| jcv wrote: |
Perhaps they could have implemented altusr .... with possibility to actually control which alternate user is set
(to prevent elevation of privileges). |
This is the way z/OS MQ has it - see my earlier post. 
| JosephGramig wrote: |
| For instance, a channel will run as mqm (or the service ID of MQ) but if you put an ID in the MCAUSER, that is used as an alternate ID and will only do what that ID is authorized to do. Not what mqm can do. |
In fact, the setting of the MCAUSER for a channel to run under is not done using alternate user ID. Alt user is used when PUTAUT(CTX) is set, but the general running as the MCAUSER isn't done with that.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
