Installation path security requirements (UNIX)

The owner, group, and write access settings of the directories in the installation path and key subdirectories must be secure to prevent attacks on HCL OneDB™ programs.

HCL OneDB checks directory permissions when it is started to help prevent security breaches, such as a denial-of-service attack or a time-of-check, time-of-use (TOCTOU) attack (also known as a race condition).

The installation path is secure when each directory in it (from the root directory to the installation directory) meets all of the following conditions:

  • The user that owns the directory is trusted.
  • Either the group that owns the directory is trusted or the group cannot write in the directory.
  • There is no public write access to the directory. A directory with public write access is inherently not secure because any user can move or rename the directory or a file within it.

The main installation directory must be owned by user onedb, must belong to group onedb, and must not have public write permission. Typically, no user requires write permission on the directory, but in many environments user onedb is granted this permission.

To complete a transaction on the database server that requires trusted privileges, a user must have a user name and belong to a group that matches the names of corresponding, trusted entities that exist on the computer. If a user or group name is not in the environment, the name is not trusted.