Question about protection of raw partition and shared libraries 
Author Message
 Question about protection of raw partition and shared libraries

I became the sysadmin of a system with Informix ON-LINE 4.0.
I was surprised to see that the protection of the raw partitions
for Informix are crw-rw-rw-.
They told me this was necesary to allow different users to access the
database.
        - This means everybody can see what is in the database.
        - What happens when someone enter the command :
                echo "Hello World" >/dev/informix_partition?
                (I think I now the answer : bye-bye database, pray
                 the Lord you have a recent backup ;-) )  

My second surprise was when I saw the size of compiled 4GL code.
These are +/- 300K. So I went looking for a shared library for
Informix, but didn't find it. Can Informix use shared libraries?

Please don't respond by RTFM, I'm still searching for them, but want to
find solutions as quick as possible.

Mike.--
------------------------------------------------------------------------

tel    : +32 2 460.46.11    | that we in computer science keep fun in
Fax    : +32 2 460.56.50    | computing. ....               A.J. Perlis



Mon, 15 Aug 1994 08:03:49 GMT
 Question about protection of raw partition and shared libraries

Quote:

> I became the sysadmin of a system with Informix ON-LINE 4.0.
> I was surprised to see that the protection of the raw partitions
> for Informix are crw-rw-rw-.
> They told me this was necesary to allow different users to access the
> database.

Wrong!!!  the correct permissions for a raw informix partition are
crw-rw----  informix  informix

or:
 chmod 660 /dev/WHATEVER
 chown informix /dev/WHATEVER
 chgrp informix /dev/WHATEVER

Quote:
> My second surprise was when I saw the size of compiled 4GL code.
> These are +/- 300K. So I went looking for a shared library for
> Informix, but didn't find it. Can Informix use shared libraries?

That' not at all unusual.  We have executables >700K!
Are the executables stripped?  Have they been compiled with "-O"?

DAS
--

                                                               is db4glgen-3.4



Tue, 16 Aug 1994 10:01:09 GMT
 Question about protection of raw partition and shared libraries

Quote:

>I became the sysadmin of a system with Informix ON-LINE 4.0.
>I was surprised to see that the protection of the raw partitions
>for Informix are crw-rw-rw-.
>They told me this was necesary to allow different users to access the
>database.

You'll probably get a zillion responses to this, but let me just be one of
them.

The raw device needs only to be 660, but it should be owned by informix and
have group ownership informix.  

Quote:
>    - This means everybody can see what is in the database.

Well, if they're into reading bits and bytes.  Bleah!!

Quote:
>    - What happens when someone enter the command :
>            echo "Hello World" >/dev/informix_partition?
>            (I think I now the answer : bye-bye database, pray
>             the Lord you have a recent backup ;-) )  

True enough.  That's why it should be 660.

Quote:
>My second surprise was when I saw the size of compiled 4GL code.
>These are +/- 300K. So I went looking for a shared library for
>Informix, but didn't find it. Can Informix use shared libraries?

Unfortunately not at this time.  What version of 4GL are you running?

Quote:
>Please don't respond by RTFM, I'm still searching for them, but want to
>find solutions as quick as possible.

Allright then, FTFM (find the freindly manuals  :-)
Quote:

>Mike.--
>------------------------------------------------------------------------

>tel    : +32 2 460.46.11    | that we in computer science keep fun in
>Fax    : +32 2 460.56.50    | computing. ....               A.J. Perlis



Tue, 16 Aug 1994 09:52:05 GMT
 Question about protection of raw partition and shared libraries

Quote:

>I became the sysadmin of a system with Informix ON-LINE 4.0.
>I was surprised to see that the protection of the raw partitions
>for Informix are crw-rw-rw-.
>They told me this was necesary to allow different users to access the
>database.
>    - This means everybody can see what is in the database.
>    - What happens when someone enter the command :
>            echo "Hello World" >/dev/informix_partition?
>            (I think I now the answer : bye-bye database, pray
>             the Lord you have a recent backup ;-) )  

Informix devices for online should be 660 with owner and group informix.

mark
--
mark jeske (informix consulting)

708-699-5850



Tue, 16 Aug 1994 09:25:41 GMT
 Question about protection of raw partition and shared libraries

Quote:

>I became the sysadmin of a system with Informix ON-LINE 4.0.
>I was surprised to see that the protection of the raw partitions
>for Informix are crw-rw-rw-.
>They told me this was necesary to allow different users to access the
>database.

>Please don't respond by RTFM, I'm still searching for them, but want to
>find solutions as quick as possible.

>Mike.--
>------------------------------------------------------------------------

>tel    : +32 2 460.46.11    | that we in computer science keep fun in
>Fax    : +32 2 460.56.50    | computing. ....               A.J. Perlis

The correct permissions for pathnames for OnLine chunks is 660, owner
and group "informix". The person who told you public needs read and
write permissions was wrong; only "informix" needs permissions, as that
is how the database level permissions are enforced. Giving read and
write on the device to public is a security risk, as you mentioned.

Craig



Tue, 16 Aug 1994 08:48:39 GMT
 Question about protection of raw partition and shared libraries
As has been mentioned, the permissions for the Informix raw devices should
be:  crw-rw----

The reason that this works is that tbinit is owned by root, group informix
and has the set-uid and set-gid bits turned on.  Thus when it runs, it has
the effective user-id of root and the effective group-id of informix so
that it can access the raw device without letting anybody else access it:

-rwsr-sr--   1 root     informix  366592 Sep 19  1991 /usr/informix/bin/tbinit

+----------------------------------------------+---------------------------+

+----------------------------------------------+---------------------------+



Tue, 16 Aug 1994 22:41:13 GMT
 Question about protection of raw partition and shared libraries

Quote:


>> My second surprise was when I saw the size of compiled 4GL code.
>> These are +/- 300K. So I went looking for a shared library for
>> Informix, but didn't find it. Can Informix use shared libraries?

>That' not at all unusual.  We have executables >700K!
>Are the executables stripped?  Have they been compiled with "-O"?

>DAS
>--

>                                                               is db4glgen-3.4


If you code your 4GL the way the examples are in the book, then huge code
should be expected.  However, if you use dynamic SQL statements and make
your functions generalized (like C), you can bring this WAY down.  Also, if
you look at the ESQL/C and C output of the 4GL compiler, it no wonder code
gets so huge.  Just to increment a variable goes from a 4GL statment like
this:
        LET x1 = x1 + 1
to a C call like
        pushshort(x1);
        pushint(1);
        _doadd();
        popshort(&x1);
        status = _expcode;
        if (status < 0)
                /* * SQL SEES BLOCK BEGINNING */
                {
                fgl_fatal(fgl_modname, 4, status);
                /* * SQL SEES BLOCK ENDING */
        }

When obviosly x1++ is much more efficient.  Write you programs so that
they're in 4GL where that is most useful, and C when that is most
efficient.  (Ah the price of portability)

If such large executables are a problem, you might think of using the
Psuedo compiler and runner.  Such programs are very small, though if you're
making C calls what a pain they are to put into the runner.

--

                                602-870-3330 X657



Thu, 18 Aug 1994 09:13:28 GMT
 Question about protection of raw partition and shared libraries

 writes, regarding code size of compiled 4GL programs:
Quote:
> ... Also, if
> you look at the ESQL/C and C output of the 4GL compiler, it no wonder code
> gets so huge.  Just to increment a variable goes from a 4GL statment like
> this:
>    LET x1 = x1 + 1
> to a C call like
>    pushshort(x1);
>    pushint(1);
>    _doadd();
>    popshort(&x1);

--------------------------------
Quote:
>    status = _expcode;
>    if (status < 0)
>            /* * SQL SEES BLOCK BEGINNING */
>            {
>            fgl_fatal(fgl_modname, 4, status);
>            /* * SQL SEES BLOCK ENDING */

----------------------------------------

Quote:
>    }

You should note that the lengthy check of status after every
expression (marked off above) is not required. In 4.0 you can
turn it off by writing WHENEVER ERROR CONTINUE.  This can have
a dramatic effect on program size from 4.0 compiles.

In 4.1 every expression is no longer checked for status by
default.  The above status-check code is only generated in
4.1 when you have written WHENEVER ANY ERROR...



Sat, 20 Aug 1994 04:51:48 GMT
 
 [ 8 post ] 

 Relevant Pages 

1. share raw partition

2. Raw partitions vs. Cooked partitions

3. Raw I/O vs files (was Re: Raw partitions / cooked files)

4. OPS Raw Partition Question

5. raw partitions, some simple questions

6. Raw partition question

7. Solaris/Informix raw partition question

8. Solaris/Informix raw partition question

9. Shared Libraries on HP-UX (-shared)

10. Shared Libraries on HP-UX (-shared)

11. How to write make rules for shared library and loadable library

12. Sybase shared library question on Solaris


 
Powered by phpBB® Forum Software