3.1.5 Secure permissions for default database file path

Information

The dftdbpath parameter contains the default file path used to create DB2 databases. It is recommended that the permissions for this directory be set to full access for DB2 administrators and read and execute access only for all other accounts. It is also recommended that this directory be owned by the DB2 Administrator.

Solution

For Windows and Linux-
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE2. Run the following command from the DB2 command window to change the default file path, if necessary-
db2 => update database manager configuration using dftdbpath <valid directory>
Additional steps for Windows-
1. Connect to the DB2 host
2. Right-click over the directory used as the default file path
3. Choose Properties
4. Select the Security tab
5. Assign ownership of the directory to the DB2 Administrator
6. Grant all DB administrator accounts the Full Control authority
7. Grant only read and execute privileges to all other users (revoke all other privileges)
Additional steps for Linux-
1. Connect to the DB2 host
2. Change to the directory used as the default file path
3. Assign the DB2 Administrator to be the owner of the directory using the chown command
4. Change the permissions for the directory
OS => chmod -R 755

See Also

https://workbench.cisecurity.org/files/162