on 10-07-2008 4:49 PM
I have received complain from people responsible for security of SAP data that redo log files have permission 755 (everyone can read from them)
I would like to get your input on the following :
- Is this a material risk?? In other words, how u201Ceasyu201D would it be to reconstruct something meaningful out of the redo-logs provided that you know exactly in which tables certain business data is stored ?
- This is apparently a SAP standard (can it be confirmed ?) Are there plans with SAP, as of certain release, to change this to a more secure file permission ?
- Is there any risk in changing these permissions to something more restrictive and what are the challenges ?
usually sapinst will implement the logfiles with permissions 640 (as with all data files as well)...so you'd change the permissions accordingly...
GreetZ, AH
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
change it to 750.
check with Oracle specialists. this is not really a SAP problem.
change umask to 027 on a TST system and see what happens.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
"Everybody can read from them" - the redo logs are present inside the server, and access to the server is limited to the admin team not to all. and online logs are are in binary format, it can only be used by the standard Oracle installation services.
Online redo logs are part of oracle logging mechanism, and it requires those permission. I've not yet seen somewhere SAP explicitly telling to give 755 permission to redologs.
hope this helps,
Debasis.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.