IC50786: SECURITY: POSSIBLE SECURITY ISSUES WITH ICONNECT INSTALLER AND TEMPORARY INSTALLATION FILES

APAR status

• Closed as program error.

Error description

• The default permissions of the installconn script could allow
  anunprivileged user to inject code which could compromise
  securityduring installation.  Also, the installation process
  creates    temporary files in the /tmp directory. It is possible
  for a userwith access to /tmp to link to this file and thereby
  compromise security.
  

Local fix

• Change the permissions of the installconn file to 755, and use
  the -log option when performing the IConnect installation to
  redirect the temporary files created to a secure directory.
  

Problem summary

• ****************************************************************
  USERS AFFECTED:
  All users running CSDK 2.90.*C1 through 2.90.*C4 on AIX,
  HP-UX, IRIX, Solaris and Linux operating systems.
  ****************************************************************
  PROBLEM DESCRIPTION:
  1. The default installation log file is created in the /tmp
  directory.
  2. The default permissions of the installation scripts were 777.
  ****************************************************************
  RECOMMENDATION:
  Upgrade to 2.90.*C4R1 when available or use the Temporary Fix as
  suggested in this APAR.
  ****************************************************************
  

Problem conclusion

• Problem first fixed in version 2.90.*C4R1 release.
  

Temporary fix

• Change the permissions of the installconn file to 755, and use
  the -log option when performing the IConnect installation to
  redirect the temporary files created to a secure directory.
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  INFORMIX CLIENT

• Fixed component ID

  5724C2300

Applicable component levels

• R290 PSY

     UP