On UNIX systems, you can start a PAS for OpenEdge instance as a non-root user if the following conditions exist:

  • You can be authenticated by the operating system.
  • OpenEdge executables and scripts have the execute privilege and file permissions that grant you the required read and write access operations that are part of the PAS for OpenEdge startup process.

Operating system authentication requirements

The PAS for OpenEdge instance must be started with an account that has the privileges that are needed to validate user accounts and passwords on that particular UNIX system's configuration. To authenticate the user who is attempting to start a PAS for OpenEdge instance, the instance uses the UNIX system's password files, which may be located in either the NIS password map or the /etc/passwd file, or in both locations depending on the system configuration, as follows:

  • If only account validation is performed, the UNIX system looks up that account to verify that it exists and does not use the shadow password file (/etc/shadow).
  • If both account validation and password validation are performed, the UNIX system uses both the /etc/passwd files and /etc/shadow files, if the system is configured by the system administrator to use them.

UNIX protects the /etc/passwd and /etc/shadow files by requiring a process to have root privileges to access them when validating passwords. However, the NIS password map generally does not require root privileges to access accounts and validate passwords. The level of security is configured by the UNIX system administrator. To determine whether you require root privileges to start PAS for OpenEdge, you may have to consult the UNIX system administrator.

Requirements for changing file ownership and access permissions

After you install OpenEdge on a UNIX system, you typically configure file permissions in accordance with your company's policies. Note the following with regards to the permissions that are required for changing file ownership and access mode on OpenEdge files:

  • The OpenEdge and OpenEdge Management product installations must be performed by a root user.
  • If you are using OpenEdge Management, the commands to change file ownership and access should be changed only after you have enabled OpenEdge Management or remote containers. Otherwise some files may revert back to only having root permissions and therefore could result in the Progress DBA being unable to start the PAS for OpenEdge instance or OpenEdge Management.
  • After installation is complete, but prior to changing any file permissions, make sure that all Progress processes are stopped.
  • With certain OpenEdge Management versions, the chgrp and chmod commands fail when run against the fathom.init.params file and /var/tmp/Jetty__9090__* directories because they might not exist. You can ignore the errors.
  • All commands to change file ownership or access mode (that is, the chgrp and chmod commands, respectively) must be performed by a root user.
  • The progress group should be used only for Progress DBA users. Other, non-DBA users should not be part of this group. Progress clients should be part of a different group; for example, progusers, and the database files should have progusers as its group and have g+rw permissions associated with them. The permissions of the directory containing the database files should also have the group progusers and r-x permissions (that is, no write permissions) to prevent someone from deleting the files. All other permissions should be removed from the database directory and files, using the chmod o-rwx db-files command. The Progress DBA should be a member of both the progress and progusers groups by comma-separating them within the /etc/groups file.
  • Progress recommends that you use a script to apply the file permissions so that the process can be replicated; for example, after installing OpenEdge on multiple host machines or applying a service pack.

Steps to change file ownership and access

The steps provided in this section use the following names and variables:

  • progress is the group that the non-root user (for example, the DBA) will be a member of.
  • dlc is the directory where OpenEdge is installed.
  • wrk is the OpenEdge working directory.
  • oemgmt is the OpenEdge Management installation directory.
  • wrk_oemgmt is the OpenEdge Management working directory.

Also, the steps described in this section make the following file ownership and access changes:

  • Recursively change the group of all directories and files within the dlc, oemgmt, wrk, and wrk_oemgmt directories to progress.
  • Add -rwxrwx--- permissions for all directories, including those within the recursive (-R) chmod commands.
  • Add -rw-rw---- permissions for all files, including those within the recursive (-R) chmod commands. The use of uppercase X with chmod sets x permissions for directories but not for the files within.
  • Recursively remove --------w- permissions for all files and directories in the dlc and oemgmt directories. (Remember to change the group progress and the directory names to suit your configuration.

To change file ownership and access for OpenEdge when OpenEdge Management is not also installed, enter the following commands:

  1. chgrp -R progress dlc
  2. chgrp -R progress wrk
  3. chmod -R o-w dlc
  4. chmod -R ug+rwX dlc/properties ; chmod -R o-rwx dlc/properties
  5. chmod -R ug+rwX wrk
  6. sudo chmod g+rx /opt/dlc_oe12/install