SQL/MX 2.x Installation and Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

341

342

343

344

345

346

347

348

349

350

Managing Database Applications

HP NonStop SQL/MX Installation and Management Guide—523723-004

11-18

Securing User Modules

If the USERMODULES directory already exists when the InstallSqlmx script is run

(for example, after Release 2.1 or Release 2.0 has already been installed), the script:

•

Does not attempt to re-create the USERMODULES directory.

•

Does not attempt to change ownership of the USERMODULES directory.

•

Performs this OSS command:

chmod a+rwxt /usr/tandem/sqlmx/USERMODULES

After InstallSqlmx runs, you might want to perform some or all of these tasks:

1. To make sure that the sticky bit of the USERMODULES directory has been turned

on, enter:

ls -ld /usr/tandem/sqlmx/USERMODULES

The output should look like this:

drwxrwxrwt 1 SUPER.SUPER SUPER 4096 Apr 1 06:26

/user/tandem/sqlmx/USERMODULES/

2. Only the SUPER.SUPER user can run InstallSqlmx, so the first default owner

of the USERMODULES directory is a known trusted user. If ownership changes

and you subsequently want to change the current owner of the USERMODULES

directory back to the SUPER.SUPER user, enter:

chown super.super /usr/tandem/sqlmx/USERMODULES

3. After you create a user module, make sure that only the module owner and the

trusted USERMODULES directory owner can modify, rename, or delete that

module. Enter:

chmod 0644 /usr/tandem/sqlmx/USERMODULES/globmod1

This command makes the module globmod1 readable and writable only by the

owner and readable by others.

4. Alternatively, the SUPER.SUPER user can make sure that all modules can be

written to only by their respective owners by entering:

chmod 0644 /usr/tandem/sqlmx/USERMODULES/*

5. Make sure that all future modules that you create are writable only by you or the

USERMODULES directory owner by entering:

umask 022

Regardless of the current umask settings, this command makes module files (and

OSS files in general) that the user creates readable by all but writable only by the

module owner and creator.

6. Put this command into the shell script you use to invoke the SQL/MX compiler:

umask 022

mxcmp $*