Utilities for checking directory security (UNIX)
The database server utilities make security checks before the database server starts.
To provide increased security, key server utilities check if your environment is secure. Before the database server starts, the following settings must be unchanged from the settings established during installation:
- The permissions on directories in the installation path. When you install a new version of your database server, follow the installation instructions to ensure that the permissions of all key files and directories are set appropriately. If you change the path permissions after installation in such a way that the server utilities detect that the path is not secure, HCL OneDB™ will not start.
- The permissions on $ONEDB_HOME and its subdirectories. For each directory, the database server checks that the directory exists, that it is owned by user onedb and the correct group (as shown in Installation path security requirements (UNIX)), and that directory permissions do not include write permissions for the group or other users.
- The permissions on the onconfig file.
The configuration file must belong to the Database Server Administrator (DBSA) group. If the DBSA group is onedb (the default group), the onconfig file must be owned by user onedb; otherwise, the ownership is not restricted. The file must not have write permissions for others.
- The permissions on the sqlhosts file.
Under the default configuration, the sqlhosts file is located in the $ONEDB_HOME/etc directory. The owner must be user onedb, the group must be either the onedb group or the DBSA group, and the file must not have public write permissions. If the file is specified through an ONEDB_ SQLHOSTS environment variable, the owner and group are not checked; however, public write permissions are not permitted.
- File name lengths.
The length of the onconfig file name in $ONEDB_HOME/etc must be less than 256 bytes.
If the tests for any of these conditions fail, the utilities exit with an error message.
Utilities check that the path specified by the ONEDB_HOME environment variable is secure whenever you attempt to start major programs like oninit, onmode, etc. The security check stops programs from starting if the $ONEDB_HOME path is not secure to help prevent the possibility that attackers can change software that is secure to software that is not secure. Use the onsecurity utility to diagnose the problem, and in some cases, to change directory permissions.
In rare circumstances, troubleshooting security issues can require that utilities that run as root user or user onedb can start in a nonsecure environment temporarily (that is, root and user onedb are not stopped by the utilities that detect a security problem in the $ONEDB_HOME path). See the IFX_NO_SECURITY_CHECK environment variable documentation in the HCL OneDB Guide to SQL: Reference for more information.
The installation media for HCL OneDB, Version 11.50.xC4 and later completes a security check on the selected destination path before the binary files are copied to the target host computer. See the security-related documentation in the latest version of HCL OneDB Installation GuideHCL OneDB Installation Guide for UNIX™, Linux™, and Mac OS X for more information.
The onsecurity utility is available on your host computer as a stand-alone tool to check directory permissions of the path specified by the ONEDB_HOME environment variable after you have installed HCL OneDB, Version 11.50.xC4 and later versions. The onsecurity utility is copied to $ONEDB_HOME/bin.