SQL/MX 3.2.1 Management Manual (H06.26+, J06.15+)
Securing Globally Placed Modules
You secure globally placed modules from the /usr/tandem/sqlmx/USERMODULES directory.
The objective should be to assign the responsibility and accountability for safeguarding the integrity
of each globally placed module to its own creator and owner.
CAUTION: Only trusted accounts should be given write access to the directory
/usr/tandem/sqlmx/USERMODULES. If access is not restricted, you can potentially put the
security of your system at risk, because users can alter query plans in modules or remove modules.
Proper security of the USERMODULES directory requires that:
• The owner of the USERMODULES directory be a trusted user
• The sticky bit of the USERMODULES directory be set
• The compiled user modules be writable only by the owner
When you install NonStop SQL/MX on a node, the SUPER.SUPER (super ID) user runs the
InstallSqlmx script to initialize NonStop SQL/MX and perform the other tasks described in
SQL/MX Installation and Upgrade Guide. To secure user modules, the InstallSqlmx script
automatically:
• Creates the USERMODULES directory by issuing the OSS command:
mkdir -p /usr/tandem/sqlmx/USERMODULES
• Changes the permission bits on the USERMODULES directory so that ordinary users can freely
create their own user modules by issuing the OSS command:
chmod a+rwxt /usr/tandem/sqlmx/USERMODULES
Specifying the t permission argument option sets the sticky bit for the USERMODULES directory,
which restricts file deletion and alteration there.
If the USERMODULES directory already exists when you run the InstallSqlmx script (for example,
after SQL/MX Release 3.2 has already been installed), the script:
• Does not attempt to re-create the USERMODULES directory.
• Does not attempt to change ownership of the USERMODULES directory.
• Performs this OSS command:
chmod a+rwxt /usr/tandem/sqlmx/USERMODULES
After InstallSqlmx runs, you might want to perform some or all of these tasks:
1. To make sure that the sticky bit of the USERMODULES directory has been turned on, enter:
ls -ld /usr/tandem/sqlmx/USERMODULES
The output should look like this:
drwxrwxrwt 1 SUPER.SUPER SUPER 4096 Apr 1 06:26
/user/tandem/sqlmx/USERMODULES/
2. Only the SUPER.SUPER user can run InstallSqlmx, so the first default owner of the
USERMODULES directory is a known trusted user. If ownership changes and you subsequently
want to change the current owner of the USERMODULES directory back to the SUPER.SUPER
user, enter:
chown super.super /usr/tandem/sqlmx/USERMODULES
3. After you create a user module, make sure that only the module owner and the trusted
USERMODULES directory owner can modify, rename, or delete that module. Enter:
chmod 0644 /usr/tandem/sqlmx/USERMODULES/globmod1
This command makes the module globmod1 readable and writable only by the owner and
readable by others.
224 Managing Database Applications