Utilities for checking directory security (UNIX)

The database server utilities make security checks before the database server starts.

To provide increased security, key server utilities check if your environment is secure. Before the database server starts, the following settings must be unchanged from the settings established during installation:

• The permissions on directories in the installation path. When you install a new version of your database server, follow the installation instructions to ensure that the permissions of all key files and directories are set appropriately. If you change the path permissions after installation in such a way that the server utilities detect that the path is not secure, Informix® will not start.
• The permissions on $INFORMIXDIR and its subdirectories. For each directory, the database server checks that the directory exists, that it is owned by user informix and the correct group (as shown in Installation path security requirements (UNIX)), and that directory permissions do not include write permissions for the group or other users.
• The permissions on the onconfig file.

  The configuration file must belong to the Database Server Administrator (DBSA) group. If the DBSA group is informix (the default group), the onconfig file must be owned by user informix; otherwise, the ownership is not restricted. The file must not have write permissions for others.

• The permissions on the sqlhosts file.

  Under the default configuration, the sqlhosts file is located in the $INFORMIXDIR/etc directory. The owner must be user informix, the group must be either the informix group or the DBSA group, and the file must not have public write permissions. If the file is specified through an INFORMIXSQLHOSTS environment variable, the owner and group are not checked; however, public write permissions are not permitted.

• File name lengths.

  The length of the onconfig file name in $INFORMIXDIR/etc must be less than 256 bytes.

If the tests for any of these conditions fail, the utilities exit with an error message.

Utilities check that the path specified by the INFORMIXDIR environment variable is secure whenever you attempt to start major programs like oninit, onmode, etc. The security check stops programs from starting if the $INFORMIXDIR path is not secure to help prevent the possibility that attackers can change software that is secure to software that is not secure. Use the onsecurity utility to diagnose the problem, and in some cases, to change directory permissions.

In rare circumstances, troubleshooting security issues can require that utilities that run as root user or user informix can start in a nonsecure environment temporarily (that is, root and user informix are not stopped by the utilities that detect a security problem in the $INFORMIXDIR path). See the IFX_NO_SECURITY_CHECK environment variable documentation in the HCL Informix Guide to SQL: Reference for more information.

The installation media for Informix, Version 11.50.xC4 and later completes a security check on the selected destination path before the binary files are copied to the target host computer. See the security-related documentation in the latest version of HCL Informix Installation Guide for more information.

The onsecurity utility is available on your host computer as a stand-alone tool to check directory permissions of the path specified by the INFORMIXDIR environment variable after you have installed Informix, Version 11.50.xC4 and later versions. The onsecurity utility is copied to $INFORMIXDIR/bin.