Wrong owner on symlinks make IBM DB2's administrative server fail

Bug #853750 reported by Numérigraphe
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
db2exc (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

On db2exc 9.7.4-0lucid3, the init script tries to start the administration instance by:
- su-ing to the admin instance user
- calling "db2admin", which is in ~/das/bin/db2admin, which is in the PATH
This fails with the message "-su: das/bin/db2admin: Permission denied".
Calling /opt/ibm/db2/V9.7/das/bin/db2admin does not fail.
The kernel log reports "non-matching-uid symlink following attempted in sticky world-writable directory".
I think it's because:
- ~/das/bin is a symbolic link owned by root
- but ~/das has the sticky bit, so only root can follow the symbolic link

The same problem exists for several other symbolic links in ~/das/: conv function java lib msg
So maybe the whole administration instance is not installed using the right UID ?

Lionel Sausin

summary: - Wrong owner on symlink make administrative instance fail to start
+ Wrong owner on symlink make IBM DB2's administrative instance fail to
+ start
summary: - Wrong owner on symlink make IBM DB2's administrative instance fail to
- start
+ Wrong owner on symlinks make IBM DB2's administrative fail
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Wrong owner on symlinks make IBM DB2's administrative fail

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in db2exc (Ubuntu):
status: New → Confirmed
summary: - Wrong owner on symlinks make IBM DB2's administrative fail
+ Wrong owner on symlinks make IBM DB2's administrative server fail
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report. However, on a regular installation, das is not sticky, and bin is not a symlink. None of the directories that I can see are sticky ("find /opt -perm +1000" returns nothing).

Changed in db2exc (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
KWAndi (lst-hoe01) wrote :

This happens on a stock Ubuntu 12.04 LTS (32Bit) with db2exc installed from partner repository. In Ubuntu 10.04 LTS the owner/settings are the same but there is no permission denied...

Changed in db2exc (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
Miles Huang (huang-miles) wrote :

Confirm this issue exists for Ubuntu 12.04 LTS (64Bit) too, with db2exc package from partner repository.
As workaround, drop symbolic links create by root and create them back by user dasusr1:
Login as dasusr1
cd adm
rm bin conv function java lib msg
ln -s /opt/ibm/db2/V9.7/das/bin bin
ln -s /opt/ibm/db2/V9.7/das/conv conv
ln -s /opt/ibm/db2/V9.7/das/function function
ln -s /opt/ibm/db2/V9.7/das/java java
ln -s /opt/ibm/db2/V9.7/das/lib lib
ln -s /opt/ibm/db2/V9.7/das/msg msg

Revision history for this message
Miles Huang (huang-miles) wrote :

correction:
Wrong directory.
cd adm
should be:
cd das

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.