IBM Connections 5.5 – Problem with ibm_upload_module and NFS
since IBM Connections 5.5 there is an IHS module available that handles file uploads via HTTP Server and not via WebSphere Application Server – similar to the module for downloading files. This has great advantages in terms of performance and memory usage, because WAS does not need to take care about serving those files via JVM.
But I ran into trouble when using this module in combination with Linux and a standard configuration:
When you normally start IHS as root (in order to bind to port 80 & 443) the worker threads are started as “nobody” (a user with lowest permissions –> description).
But when using the files upload module the following error occurs if you attach a file to an activity:
When creating a new entry IBM Connections creates a folder structure on the NFS share (as lxadmin as this is the WebSphere user) that consists of one or several subfolders. The file actually gets uploaded via IHS / ibm_upload_module that tries to write to this created folder on the share with the nobody:nobody user. This user does not have write permission for the folder as WebSphere creates the folders using 755 permissions so not enough for the nobody user to write.
I reported this problem to IBM and got the following response:
Development says they don’t support nobody:nobody for the worker. The
only solution they gave was to create a user for IHS worker only.
Then add the user to group, and grant NFS to the group with write
But actually there are two ways how to solve this:
1. Change the umask settings in WebSphere Application Server
WebSphere Application server is started by default with umask 022 (755) setting:
0 – Owner has r/w/x permissions
2 – Group has r/x permissions
2 – Others have r/x permissions
You can change this to umask 020 so that others have r/w/x permissions:
Which gives “others” also the write and execute permission to files – this mandatory for the nobody user!
Newly uploaded files are now created as nobody:nobody
2. Start the worker threads as the same non-root user “lxadmin” that also start the WebSphere processes
This guarantees that the folders are writeable also by the upload module. Compared to nobody, the lxadmin user has more permissions and is able to login via ssh…
For whatever solution you go it is always a change to security and the way files / folders get created.
I`m not that happy with both solution and I try to find other alternatives.