By default the user informix is in the admiistrators group, which is a
security hole. if somebody compromises the database he will an
administrative account for the whole server.

My question is how do I run Informix IDS (10) when the informix user
is member of the Users group, but not of the Administrators?

Thanks in advance.

By default informix is DBSA (group of the $INFORMIXDIR/etc dir)..
If you enable role seperation then you can set any group to be your DBSA
and all the members of that group will be able to bring up the engine.

Let me know if you need more information on this otherwise you can refer to
role seperation documentation.

Regards,
Manoj



kdobrev (AT) gmail (DOT) com
Sent by:
informix-list-bou To
nces (AT) iiug (DOT) org informix-list (AT) iiug (DOT) org
cc

10/22/2007 09:23 Subject
AM How to run Informix as a
normal/unprivileged "informix"
user?










By default the user informix is in the admiistrators group, which is a
security hole. if somebody compromises the database he will an
administrative account for the whole server.

My question is how do I run Informix IDS (10) when the informix user
is member of the Users group, but not of the Administrators?

Thanks in advance.

_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

On Oct 22, 10:23 am, kdob... (AT) gmail (DOT) com wrote:
There is NO default group for user informix on any UNIX platform, the
user and it's default group, group informix, are created by the system
administrator manually and should not be a member of any other group.
If you are on Windows, sorry, don't know. Of course, specifying
platform and version information with all postings will avoid having
to parse through irrelevant responses.

Art S. Kagel

kdobrev (AT) gmail (DOT) com wrote:
I haven't got a test box to hand to try this out. The 'informix' user
needs to be a member of the 'Informix-Admin' group so you can't unset
this, but have you tried simply taking 'informix' out the
'Administrator' group? If you have, does the Informix service still
start and can you still run 'onstat' and 'onmode' commands in the
command prompt window with Informix environment set?

Ben.

If you have a recent version of IDS 10 or higher (10.00.TC5 or later), you can change the IDS service to start as the local SYSTEM user. Then you can take informix out of the Administrators group (but leave it in the Informix-Admin group).

Guy

----- Original Message ----
From: "kdobrev (AT) gmail (DOT) com" <kdobrev (AT) gmail (DOT) com>
To: informix-list (AT) iiug (DOT) org
Sent: Monday, October 22, 2007 7:23:08 AM
Subject: How to run Informix as a normal/unprivileged "informix" user?


By default the user informix is in the admiistrators group, which is a
security hole. if somebody compromises the database he will an
administrative account for the whole server.

My question is how do I run Informix IDS (10) when the informix user
is member of the Users group, but not of the Administrators?

Thanks in advance.

_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list





__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

I'm using Windows Server 2003 Standart. I have tried to make Informix
member of Users instead of member of Administrators, but a user cannot
start services. I have given the right to login as service, but still
no luck. Making the IDS start with SYSTEM account is even worse than
starting it with as an administrator of the system.

Any other suggestions?

Why is it worse?

SYSTEM isnot a real user. Many server programs choose to run their services as SYSTEM for security purposes so the real users can be taken out of Administrators group. Can you elaborate on your specific concerns about running IDS as SYSTEM user.

Guy


----- Original Message ----
From: "kdobrev (AT) gmail (DOT) com" <kdobrev (AT) gmail (DOT) com>
To: informix-list (AT) iiug (DOT) org
Sent: Wednesday, October 24, 2007 2:07:11 AM
Subject: Re: How to run Informix as a normal/unprivileged "informix" user?


I'm using Windows Server 2003 Standart. I have tried to make Informix
member of Users instead of member ofAdministrators, but a user cannot
start services. I have given the rightto login as service, but still
no luck. Making the IDS start with SYSTEMaccount is even worse than
starting it with as an administrator of the system.

Any other suggestions?

_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list





__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com