PROGRESS and unix permissions Correcting errno 13 PROGRESS AND UNIX PERMISSIONS INTRODUCTION: ============= This Product Services Technical Support Knowledgebase entry explains how PROGRESS interacts with unix permissions. It also explains what permissions need to be set in order for end users to be able to access progress effectively and with no permission problems. WHY YOU NEED TO KNOW THIS: =========================== This will allow the system administrator to maintain security at the unix level in the event of users having access to the operating system shell. PROCEDURAL APPROACH: ==================== In order for users to start a multi-user session for progress the following permissions shold be maintained: PROGRESS Executables The PROGRESS executables should have read, write, and set-uid for the user. The group and other should have execute permissions as well. The owner of the executables should be root. This is accomplished by the following steps: A) login as root or switch user to root. B) move to the DLC directory. C) type the following set of commands: chown root _* chmod 4711 _* An example of what the executables will look like follows. -rws--x--x 1 root rdl 458926 Nov 10 09:49 _mprosrv -rws--x--x 1 root rdl 508210 Nov 10 09:49 _mprshut -rws--x--x 1 root rdl 1450549 Nov 10 09:49 _progres -rws--x--x 1 root rdl 823434 Nov 10 09:49 _proutil -rws--x--x 1 root rdl 1478176 Nov 10 09:49 _prox The first column shows permissions for the file. r - read permission w - write permission x - execute permission s - set-uid bit set The first position tells what kind of file it is. If it is defined as a normal or unknown file it will have a "-". Other file types are: d - directory file l - link file t - link permission for directories. The next 3 letters are permissions for the user. The next 3 letters are permissions for the user group. The next 3 letters are permissions for the other group (all users). The Set-uid bit can only be set for the owner and group of the file. The set-uid bit allows the user executing the file to take on the permissions of that user while executing. This allows individual users access to the database files while in progress, but they cannot delete the files when in the unix shell. PROGRESS Database files: In order to prevent users from deleting the database files the following permissions should be set: NOTE: This pertains to connecting to the database at startup (ie. mpro demo) 1) Permissions to the directory where the database resides should belong to root and have read and write permissions for the user only. 2) Permissions to the database files (the .db, .lg, and .bi) should also be read and write only. Root should be the owner of the files as well. The directory should look like this: drwx--x--x 2 root rdl 512 Nov 10 10:18 . drwxrwxrwx 8 root rdl 1024 Nov 10 09:49 .. -rw------- 1 root system 0 Nov 10 10:18 demo.bi -rw------- 1 root system 332800 Nov 10 10:18 demo.db -rw------- 1 root system 55 Nov 10 10:18 demo.lg The "." signifies the current working directory. The ".." signifies the parent directory or next higher directory. With these permissions set normal users may access the database thru progress, but may not modify the files from the unix shell. NOTE: When using the "connect" statement from within a procedure or through the editor, as a local client, the following permissions must 1) Permissions to the directory and to the files must be set to read and write for the group if the user belongs to the same group or for other if the user does not belong to the same group. Please see the following example. drwx--xrwx 2 root rdl 512 Nov 10 10:18 . -rw----rw- 1 root rdl 0 Apr 4 14:21 demo.bi -rw----rw- 1 root rdl 332800 Apr 4 14:21 demo.db -rw----rw- 1 root rdl 55 Apr 4 14:21 demo.lg The combination of executable permissions and database permissions provides full functionality as well as the ability to provide security where needed. Possible error that could occur if permissions are set incorrectly are : 43, 98, 103, 292, 316, 354, 1295, 1506, 2257, 2601. Error number 13 is a permissions problem. NOTE: When using the "connect" statement, from within a procedure or the editor, using a networked connection (i.e. using the -S and -H parameter), you do not need to turn on read and write permissions for "other". Read and write for "owner" should suffice. ONLINE PROCEDURES OR UTILITIES: =============================== MAN pages for chmod and chown. PROGRESS help option 2. any messages. errno.h file in unix include directory REFERENCES TO WRITTEN DOCUMENTATION: ====================================== None. Progress Software Technical Support Note # 12538