0

We are trying to debug a very old web application that uses DB2.

I would like to run a trace to see what happens when I click on a button but as soon as I try I receive this error:

create event monitor ........ for statement where AUTH_ID='.......' write to table
"USER" does not have privilege to perform operation "CREATE EVENT MONITOR".. SQLCODE=-552, SQLSTATE=42502,

enter image description here

Is evident to me that our user doesn't has enough privilege to run a trace.

In T-SQL there is a way to impersonate another user:

USE AdventureWorks2019
GO
EXECUTE AS USER = 'Test';
SELECT * FROM Customer;
REVERT;

I would like to know if there is the same command in DB2.

The goal is to try to run something like SQL Server Profiler for DB2 and sniff the queries.

Yes, I already tried to run GRANT DBADM ON DATABASE TO USER E.....O and of course the system replied:

"E.....O" does not have the privilege to perform operation "GRANT".. SQLCODE=-552, SQLSTATE=42502, DRIVER=3.69.56

We are stuck and we cannot move because we cannot know how the queries work. Asking more privileges to our user is not an option as we are migrating a customer from a competitor to our side.

What I'm trying to do is a sort of privilege escalation without committing any crime.

I also taught about connecting to the DB2 database from SQL Server and use PolyBase but as far as I know such feature only allows me to query and I cannot sniff the parameters.

Improve this question
5
  • This is not programming, it is simple administration. Why not ask your DBA (if you have one) to GRANT your account the required permissions, and if that is refused then ask the DBA to report the SQL-queries and parameters when you run your app. Or just create your own development environment (e.g. a docker container) and do the debugging yourself by granting your user any required access.
    – mao
    Commented Dec 9, 2021 at 11:40
  • hi @mao as said we are in the middle of migrating a customer from a competitor to our side. They will never help us. In fact they will try to put a stick in our wheels as much as they can
    – Francesco Mantovani
    Commented Dec 9, 2021 at 11:42
  • Many app-servers / frameworks have a configuration method to enable SQL tracing from the client side (i.e independently of the database server). Additionally, the Db2 client (either with jdbc or odbc, whichever is being used) has a method to do tracing, again on the client side . Do your research.
    – mao
    Commented Dec 9, 2021 at 11:45
  • Hi @mao, I did my search. the only way to trace DB2 is apparently from db2trc. If you find any app-servers / frameworks that can do that from the client you are more than welcome to post the name of such application here. Thank you
    – Francesco Mantovani
    Commented Dec 9, 2021 at 15:52
  • The ibm supplied jdbc and odbc drivers both support tracing, provided you have relevant shell/console to the app-server and provided you have sufficient competence. No access to Db2 server is required for that alone. Above the driver level, the app-server will also have a means to configure tracing of SQL, again this depends which app server is being used, and whether you have console access. Without cooperation of the customer, you will make no progress.
    – mao
    Commented Dec 9, 2021 at 16:03

1 Answer 1

Reset to default
1

Db2 has a couple of ways to "impersonate", but all within the security architecture and fully audited.

  • I would recommend checking out "Trusted Context", basically adding privileges or switching roles based on predefined connection properties.
  • Another option is to look into SET SESSION AUTHORIZATION (also known as SET SESSION_USER). It switches the SESSION_USER to a different user ID.

As said, that works with the proper privileges and the security admin involved.

Depending on what you want to inspect, db2trc and other command could be of use, too.

Improve this answer
2
  • Thank you @data_henrik. db2trc looks like a command I can run from a terminal. The only access we have to DB2 is through IBM Data Studio. Do you think I can run this command remotely without having a shell?
    – Francesco Mantovani
    Commented Dec 9, 2021 at 11:50
  • No, it runs on the server. There are options to trace JDBC, but I would need to search for it.
    – data_henrik
    Commented Dec 9, 2021 at 11:53

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.