SQL/MX 2.x Installation and Management Guide (G06.24+, H06.03+)
Managing Database Applications
HP NonStop SQL/MX Installation and Management Guide—523723-004
11-17
Securing User Modules
mxcmp
-g moduleGlobal | -g moduleLocal
To maintain compatibility with C, C++, and COBOL applications created in earlier
releases, the Release 2.1 or Release 2.0 SQL compiler produces a globally placed
module unless instructed to produce a locally placed module.
For more information about generating locally placed modules or globally placed
modules in a C, C++, or COBOL programming environment, including full command
syntax examples, see the SQL/MX Programming Manual for C and COBOL.
Securing User Modules
Because the SQL/MX executor runs in privileged mode and runs query plans in the
compiled user modules, it is important to properly control access to globally placed
modules and locally placed modules.
Securing Globally Placed Modules
You secure globally placed modules from the /usr/tandem/sqlmx/USERMODULES
directory. The objective should be to assign the responsibility and accountability for
safeguarding the integrity of each globally placed module to its own creator and owner.
Proper security of the USERMODULES directory requires that:
•
The owner of the USERMODULES directory be a trusted user
•
The sticky bit of the USERMODULES directory be set
•
The compiled user modules be writable only by the owner
When you install NonStop SQL/MX on a node, the SUPER.SUPER (super ID) user
runs the InstallSqlmx script to initialize NonStop SQL/MX and perform the other
tasks described in The Phases of InstallSqlmx on page 3-23. To secure user modules,
InstallSqlmx automatically:
•
Creates the USERMODULES directory by issuing the OSS command:
mkdir -p /usr/tandem/sqlmx/USERMODULES
•
Changes the permission bits on the USERMODULES directory so that ordinary
users can freely create their own user modules by issuing the OSS command:
chmod a+rwxt /usr/tandem/sqlmx/USERMODULES
Specifying the t permission argument option sets the sticky bit for the
USERMODULES directory, which restricts file deletion and alteration there.
Caution. Only trusted accounts should be given write access to the directory
/usr/tandem/sqlmx/USERMODULES. If access is not restricted, you can potentially put the
security of your system at risk, because users can alter query plans in modules or remove
modules.