3.1.11 Secure the Python Runtime Path (PYTHON_PATH)

Information

The PYTHON_PATH parameter contains the directory under which the Python runtime is installed. It is recommended that the owner of this directory is bin on Linux and AIX, and a member of the Db2 administration group on Windows. The directory should have read and execute permission for all users, but only write permission for the owner.

Rationale:

Restricting access to the python runtime will help ensure that only an authorized runtime is used for running Python routines within Db2.

Solution

For Windows and Linux:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command to change the Python path, if necessary:

db2 => update database manager configuration using
python_path <valid directory>

Additional steps for Windows:

Connect to the Db2 host

Right-click over the directory used as the Python path

Choose Properties

Select the Security tab

Assign ownership of the directory to the Db2 Administrator

Grant all Db2 administrator accounts the Full Control authority

Grant only read and execute privileges to all other users (revoke all other privileges)

Additional steps for Linux:

Connect to the Db2 host as root

Change to the directory used as the Python path

Assign bin to be the owner of the directory using the chown command

Change the permissions for the directory

$ chmod -R 755

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 64cf5feadbd2686fe348cec798589a624dc1e07b26e997edac7f592f344ab62e