A fix is available
APAR status
Closed as program error.
Error description
Prior to DB2 Stinger, DB2 ignore and do not considered uppercased group name or mixed case group name. The reason is that when DB2 read in the group, we uppercased the group name and that becomes the secondary authorization id for the user. Thus, no uppercase or mixed case group name are considered. As of Stinger, we accidentally allow them because of a missed check. With this, a customer can potential experience a different behavior. For example, piror to Stinger, user1 -> group1 user2 -> group2, GROUP1 If group1 was granted some privileges, user1 should be the only one able to use it because when we get group for user2, we dropped the GROUP1 (because it is uppercased). Because of this bug, as of Stinger, user2 will also inherit the privilege from group1 because DB2 internally uppercase group name to GROUP / secondary authid.
Local fix
Problem summary
Users Affected: All UNIX Problem Description: Prior to DB2 Stinger, DB2 ignore and do not considered uppercased group name or mixed case group name. The reason is that when DB2 read in the group, we uppercased the group name and that becomes the secondary authorization id for the user. Thus, no uppercase or mixed case group name are considered. As of Stinger, we accidentally allow them because of a missed check. With this, a customer can potential experience a different behavior. For example, piror to Stinger, user1 -> group1 user2 -> group2, GROUP1 If group1 was granted some privileges, user1 should be the only one able to use it because when we get group for user2, we dropped the GROUP1 (because it is uppercased). Because of this bug, as of Stinger, user2 will also inherit the privilege from group1 because DB2 internally uppercase group name to GROUP / secondary authid. Problem Summary: If you do not have any group defined in the system that have more than 1 representation (lowercase, uppercase, mixed case), then this APAR is not applicable to them. If an user who used to be not able to access something and now he/she can, get the group id information and check if he/she belongs to any group that has uppercased or mixed case group name.
Problem conclusion
Problem was first fixed in Version 8.1 FixPak 9 (s050422)
Temporary fix
Comments
APAR Information
APAR number
IY64061
Reported component name
DB2 UDB ESE AIX
Reported component ID
5765F4100
Reported release
820
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2004-10-30
Closed date
2005-05-29
Last modified date
2005-05-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
ENG_SQEX
Fix information
Fixed component name
DB2 UDB ESE AIX
Fixed component ID
5765F4100
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"820","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
01 October 2021