Preventing Public Access to the DB2 Database
September 11, 2003
Protecting and securing important information has always been a number one priority. Software companies try to build a product with as high an integrated level of security as possible that is still easy to handle and setup. IBM is no exception. With DB2,they provided an out-of-the-box database, wide-open for PUBLIC access, yet well equipped with advanced security options. the serious DBA has to implement a database security policy choosing between the operating system security, additional specialized security software or using integrated database security features. The target security policy that is implemented is often a combination of all of them. One substantial security threat involves the PUBLIC database group, which is installed by default. Companies need strong security regulations that answer the question of how the PUBLIC group should be tailored to satisfy security restrictions. In this article, I will cover security aspects of the DB2 database default PUBLIC group.
This article covers:
On every system, several security levels are defined to protect valuable database information. A typical implementation has the following configuration:
Users connecting to the Sun Solaris, Unix server have to pass an operating system authentication as well as the database authorization.
Operating System Authentication
A database authentication method is predefined with several DBM configuration parameters. The default security settings for a fresh, newly installed database manager are as follows:
Database manager authentication (AUTHENTICATION) = SERVER Cataloging allowed without authority (CATALOG_NOAUTH) = NO Trust all clients (TRUST_ALLCLNTS) = YES Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
These parameters will define the main security behavior between the client and the server. A DBA, together with the UNIX system administrator, need to find a single solution that best fits the company's regulations.
Connection between the OS authentication and the database authorization is defined on the instance level, over database manager (DBM) configuration parameters. DB2 has five integrated authorities or roles:
SYSADM system administrator authority
SYSCTRL system control authority
system maintenance authority
DBADM database administrator authority
The authorities SYSADM, SYSCTRL and SYSMAINT are the instance-level authorities and DBADM and LOAD are the database level authorities. The instance level authorities can be assigned only to the group while the database level authorities can be assigned to the user or group for a particular database.
version DB2 UDB v.8.1 has some enhancements. This version introduces new
CREATE_EXTERNAL_ROUTINE authority is used for registration and control of the
external routines (stored procedures, UDFs, and methods), while