Information
A Db2 software installation will place all executables under the default <DB2PATH>\sqllib directory. This directory needs to be secured so it grants only the necessary access to authorized users and administrators.
Rationale:
The Db2 runtime is comprised of files that are executed as part of the Db2 service. If these resources are not secured, an attacker may alter them to execute arbitrary code.
Solution
For Windows:
Connect to the Db2 host
Right-click on the NODE000x\sqldbdir directory
Choose Properties
Select the Security tab
Select all DB administrator accounts and grant them the Full Control authority
Select all other accounts and revoke all privileges other than Read and Execute
For Linux:
Connect to the Db2 host
Change to the /NODE000x/sqldbdir directory
Change the permission level of the directory to this recommended value
$ chmod -R 755
Default Value:
Linux
$DB2PATH/NODE000x/sqldbdir is owned by the Db2 administrator with read, write, and execute access.
Windows
$DB2PATH\NODE000x\sqldbdir owned by the Db2 administrator with read, write, and execute access.
The database instance db2inst1 located in /home/NODE000x needs the following permissions:
drwxrwxr-x 11 db2inst1 db2grp1 4096 Aug 08 1:34 NODE0000
All lower directories need the same settings:
/db2,/db2/data, /db2/data/db2inst1, /db2/data/db2inst1/db2inst1 and /db2/data/db2inst1/db2inst1/NODE0000 would need the same settings drwxrwxr-x.