Infrastructure at your Service

David Diab

Documentum CS 7.* – 777 permission on jobs log

A few weeks ago at a customer, our team was involved in a security control.
We tracked files with 777 permission and we detected that logs generated by Documentum jobs have 777 permissions.

Security before anything else, that’s why this topic was my top priority!

First of all, I checked the logs on some Content Servers, and I had the same issue everywhere.

[dmadmin@vmCS1 ~]$ cd $DOCUMENTUM/dba/log/Repo1/sysadmin
[dmadmin@vmCS1 sysadmin]$ ls -rtl
total 192
-rwxrwxrwx. 1 dmadmin dmadmin   1561 Oct 25 10:12 DataDictionaryPublisherDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   5172 Oct 28 08:02 DMCleanDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   6701 Oct 28 08:17 DMFilescanDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin  14546 Nov  2 00:01 ConsistencyCheckerDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   2969 Nov  2 00:09 ContentWarningDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin    596 Nov  2 00:12 DBWarningDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin 102765 Nov  2 00:17 FileReportDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   3830 Nov  2 00:25 LogPurgeDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin    527 Nov  2 00:28 QueueMgtDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin  15932 Nov  2 00:31 StateOfDocbaseDoc.txt

I verified the umask at operating system level:

[dmadmin@vmCS1 ~]$ umask
0027

umask has the expected value!
For more information regarding the umask : https://en.wikipedia.org/wiki/Umask

Check if a different value of umask is set in the server.ini file ([SERVER_STARTUP] section):

[dmadmin@vmCS1 ~]$ cd $DOCUMENTUM/dba/config/Repo1
[dmadmin@vmCS1 ~]$ grep umask server.ini
[dmadmin@vmCS1 ~]$ 

No result
If it has been set, the umask setting in the server.ini overwrite the one set at operation system level.
This umask value is intended to control the permissions of files associated with documents stored in the repository, and their enclosing folders.
In my case, these files and folders have the correct permission.

Well, why only these logs have a different permission? I checked again some servers and I saw that not all jobs log have 777 permission, strange:

[dmadmin@vmCS2 sysadmin]$ ls -rtl
total 108
-rwxrwxrwx. 1 dmadmin dmadmin   601  Oct 18 07:12 DMFilescanDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   138  Oct 20 21:37 UpdateStatsDoc.txt
-rw-r-----. 1 dmadmin dmadmin   1832 Oct 24 13:45 FTCreateEventsDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   1251 Oct 25 11:55 DataDictionaryPublisherDoc.txt
-rwxrwxrwx. 1 dmadmin dmadmin   442  Oct 28 07:12 DMCleanDoc.txt

In fact, the common point between logs with 777 permission is that they are generated by dmbasic methods. These logs are not controlled by the umask set at the operating system level or server.ini.

The system umask value is overridden in the docbase start script, and set to 0. This value is then inherited by dmbasic methods!

[dmadmin@vmCS1 sysadmin]$ grep umask $DOCUMENTUM/dba/dm_start_Repo1
umask 0

I feel better now :D

So, to resolve this issue I had to:

  • Change the umask to 027 instead of 0 in the docbase start script
  • Stop the docbase
  • Change the permission of logs already generated
  • Start the docbase
  • Check the logs after a job execution

To make it easy and quickly, you can use below steps:
Commands below take in account High Availability case, don’t worry about that ;)

  1. To change on one docbase
    Define the docbase name

    		export DCTM_DOCBASE_NAME="DOCBASENAME"

    Check if it is a HA environment or not, and set the DCTM_DOCBASE_GLOBAL_NAME accordingly:

    		cd $DOCUMENTUM/dba
    		export DCTM_DOCBASE_SERVER_CONFIG=$(grep server_config_name config/${DCTM_DOCBASE_NAME}/server.ini | cut -d \  -f 3) ;
    		if [ ${DCTM_DOCBASE_SERVER_CONFIG} == ${DCTM_DOCBASE_NAME} ]
    		then
    			export DCTM_DOCBASE_GLOBAL_NAME=${DCTM_DOCBASE_NAME}
    		else
    			export DCTM_DOCBASE_SERVICE_NAME=$(grep 'service =' config/${DCTM_DOCBASE_NAME}/server.ini | cut -d \  -f 3) ;
    			export DCTM_DOCBASE_GLOBAL_NAME=${DCTM_DOCBASE_NAME}"_"${DCTM_DOCBASE_SERVICE_NAME}
    		fi

    Change the umask value in the start script

    		cp -p dm_start_${DCTM_DOCBASE_GLOBAL_NAME} dm_start_${DCTM_DOCBASE_GLOBAL_NAME}_bck_$(date +%Y%m%d-%H%M%S)
    		echo "Docbase ${DCTM_DOCBASE_NAME} : Start script has been saved"
    		sed -i 's,umask 0,umask 027,' dm_start_${DCTM_DOCBASE_GLOBAL_NAME}
    		echo "Docbase ${DCTM_DOCBASE_NAME} : Umask changed"

    Stop the docbases using the following command:

    		./dm_shutdown_${DCTM_DOCBASE_GLOBAL_NAME}

    Check if the docbase has been stopped:

    		ps -ef | grep ${DCTM_DOCBASE_NAME}

    Change the permission of existing files:

    		DCTM_DOCBASE_ID_DEC=$(grep docbase_id config/${DCTM_DOCBASE_NAME}/server.ini | cut -d \  -f 3)
    		DCTM_DOCBASE_ID_HEX=$(printf "%x\n" $DCTM_DOCBASE_ID_DEC)
    		chmod 640 log/*${DCTM_DOCBASE_ID_HEX}/sysadmin/*

    Start the docbase using the following command:

    		./dm_start_${DCTM_DOCBASE_GLOBAL_NAME}
  2. To change on all docbases
    Check if it is a HA environment or not (check done one docbase only), and set the DCTM_DOCBASE_GLOBAL_NAME accordingly, then change the umask value in the start script.

    		cd $DOCUMENTUM/dba
    		export FIRST_DOCBASE_NAME=$(ls config | head -1)
    		export DCTM_DOCBASE_SERVER_CONFIG=$(grep server_config_name config/${FIRST_DOCBASE_NAME}/server.ini | cut -d \  -f 3)
    		if [ ${FIRST_DOCBASE_NAME} == ${DCTM_DOCBASE_SERVER_CONFIG} ]
    		then
    			export HA_ENV="NO"
    		else
    			export HA_ENV="YES"
    		fi
    		
    		for i in `ls config`; do 
    			if [ ${HA_ENV} == "NO" ]
    			then
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}
    			else
    				export DCTM_DOCBASE_SERVICE_NAME=$(grep 'service =' config/${i}/server.ini | cut -d \  -f 3)
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}"_"${DCTM_DOCBASE_SERVICE_NAME}
    			fi
    			cp -p dm_start_${DCTM_DOCBASE_GLOBAL_NAME} dm_start_${DCTM_DOCBASE_GLOBAL_NAME}_bck_$(date +%Y%m%d-%H%M%S)
    			echo "Docbase ${i} : Start script has been saved"
    			sed -i 's,umask 0,umask 027,' dm_start_${DCTM_DOCBASE_GLOBAL_NAME}
    			echo "Docbase ${i} : Umask changed"
    		done

    Stop the docbases using the following command:

    		for i in `ls config`; do 
    			if [ ${HA_ENV} == "NO" ]
    			then
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}
    			else
    				export DCTM_DOCBASE_SERVICE_NAME=$(grep 'service =' config/${i}/server.ini | cut -d \  -f 3)
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}"_"${DCTM_DOCBASE_SERVICE_NAME}
    			fi
    			echo "Stopping docbase ${i}"
    			./dm_shutdown_${DCTM_DOCBASE_GLOBAL_NAME}
    			echo "The docbase ${i} has been stopped"
    		done

    Check that all docbases are stopped

    		ps -ef | grep dmadmin

    Change permission on log files

    chmod 640 log/*/sysadmin/*

    Start the docbases using the following commands:

    
    		for i in `ls config`; do 
    			if [ ${HA_ENV} == "NO" ]
    			then
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}
    			else
    				export DCTM_DOCBASE_SERVICE_NAME=$(grep 'service =' config/${i}/server.ini | cut -d \  -f 3)
    				export DCTM_DOCBASE_GLOBAL_NAME=${i}"_"${DCTM_DOCBASE_SERVICE_NAME}
    			fi
    			echo "Starting docbase ${i}" 
    			./dm_start_${DCTM_DOCBASE_GLOBAL_NAME}
    			echo "The docbase ${i} has been started" 
    		done

    Check that all docbases are started

    		ps -ef | grep dmadmin

I was able to sleep peacefully this night ;) and you know now how to resolve this security issue.

Leave a Reply

David Diab
David Diab