The instance owner can access the files because it has membership of
the owning group but I would have thought that the instance owner
would have owned all files in it's home directory. Does it matter?
Yes, it matters. The permissions on the files in the home directory are
there for good reasons. For example, db2ckpw is a suid root executable
under ~/sqllib/security: it needs to be suid root in order to read the
shadow password file when authenticating users. Likewise, db2chpw (same
location) needs to write to the shadow password file when changing a
I can't say what reasons db2start, db2stop, etc. have for being suid
root, but I'd be reasonably confident in predicting that they won't
work if changed :-).
One of the reasons db2start and db2stop need to be setuid-root is so
that you do not need to be the instance owner to start/stop the
instance. As long as you're a member in the SYSMAINT_GROUP (dbm
config param), you can issue the db2start/db2stop command, and the
start/stop code will verify the user is authorized to run the command,
then switch over to run as the instance-owning ID. There are also a
few other things done during db2start that require root, like setting
up ulimits, privileges, etc.
If you want to get away from setuid-root files, there's a new non-root
feature in 9.5. Using a non-root install, those files will be setuid-
instance_owner, instead of setuid-root. There are some limitations to
non-root instances though - search for 'non-root' in the 9.5
Information Center (or google 'non-root DB2') for more details.