Informix

Expand all | Collapse all

AIX starting informix as root issues

  • 1.  AIX starting informix as root issues

    Posted Fri February 26, 2021 03:23 PM
    Hi,

    i am working with informix 12.10.FC13 on AIX 7.2 TL3 (7200-03-03-1914) and all is running fine.
    Informix is started with the machine in rc2.d, so it is started with root account.

    Some days ago, an os level was applied : TL5 (7200-05-01-2038).

    Then some system calls made by informix are in error :
    - when starting, error with priority : 02/25/21 16:35:51 VP pid=5702302 cannot change priority, errno=1
    - errors in SYSTEM calls inside stored procedures (error 668), tested with a simple 'SYSTEM "sleep 2";'
    - error while using netrc file on application side (was working before):
    02/19/21 14:59:38 Password Validation for user [vega] failed!
    02/19/21 14:59:38 Check for password aging/account lock-out.
    02/19/21 14:59:38 listener-thread: err = -952: oserr = 0: errstr = vega@cfrsv50251003ap.p2-eu.saint-gobain.net[CFRSV50251003AP]: User (vega@cfrsv50251003ap.p2-eu.saint-gobain.net[CFRSV50251003AP])'s password is n
    ot correct for the database server.


    As a workaround we found that restarting informix using informix account instead root solved all issues.

    Does somebody know this kind of issue ?

    Regards

    Jeff

    ------------------------------
    jean-francois BOUDRY
    ------------------------------


  • 2.  RE: AIX starting informix as root issues

    Posted Mon March 01, 2021 04:55 AM

    We received an answer from IBM.

    So be carrefull if you are using informix on AIX 7.2 and want to install TL5.

    there was change in 7.2 TL5 (all current SP's) in the behavior of the setreuid() function to adhere to Unix10 standards. Basically, it limited the ability to switch from root to an non-root UID and then back to root as per the standards (and as per our manpage):
     

    https://www.ibm.com/support/knowledgecenter/ssw_aix_72/s_bostechref/setuid.html

     

    Under setreuid: If both the real user ID and effective user ID are changed, the saved user ID is set to the new effective user ID. Note that this change results in a loss of original privileges.
     

    Unfortunately this change was a bit to aggressive in that it also prevented one from switching back when a UID of -1 was specified and prevented setreuid() from switching back to root when it should have been allowed (e.g. when one or the other [ruid or euid] should have still allowed this operation. The ifixes corrects this overly restrictive behavior.

    It currently has not yet been assigned an APAR number, but we are expecting this to occur shortly. For now we would like you to try the ifix with Informix to see if it resolves the issue. We are expecting it will as once you are able to switch back to euid=root setreuid(), the functions that are failing later with EPERM should be allowed.

    Please let us know if you have any additional questions or concerns with this



    ------------------------------
    jean-francois BOUDRY
    ------------------------------



  • 3.  RE: AIX starting informix as root issues

    Posted Mon March 01, 2021 08:27 AM

    We haven't tested that specifically, but running as user informix is security best practice anyway.