cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Permission on /usr/sap/<SID> Folder

Go to solution
sunny_pahuja2
Active Contributor

on ‎07-19-2009 8:36 PM

0 Kudos

Hi All,

I want to discuss about permission of /usr/sap/<SID> folder.

We faced a problem in past when we were trying to start SAP via startsap script, system was not able to start database.

But If we started database seperately from sql and then tried to start SAP system, it was successfully start. I did a root cause and found that system was trying to write a dynamic startdb.sql script in /usr/sap/<SID>/users/<sid>adm. But the permisson on this directory was 700 and i changed the permission to 777 on /usr/sap/<SID> and the system was started successfully from startsap script and able to start the database.

But later on some collegaue told me that 777 permission on /usr/sap/<sid> is not right because of that some idocs was stucked in the system as permission on file that exchange ssh keys to application servers should be 600 but i gave it to 777 as it lies in /usr/sap/<SID>/users/<sid>adm/.ssh/id_dsa

So, my questions are :

1) Could someone suggest what is right permission on this directory or if someone has some sap note or link where i can find the correct permission on this folder or permission on other directories as well (like /usr/sap/<SID>/DVE... etc.)

2) As per my knowledge, if we will give a file or directory more permission then it should not be a problem unless permission will not be reduced.

Please suggest.

My database is Oracle 10.2.0.4 and OS is HP-UX IA64 11.23.

Thanks

Sunny

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-20-2009 8:02 AM
0 Kudos

Hello,

your colleague is absolutely right. For security reasons ssh keys will only work if permissions are not granted too generously. Otherwise it would be easy to circumvent security.

What is a bit strange imho, is the home directory of your <sid>adm user. It seems to be /usr/sap/<SID>/users/<sid>adm. Never seen something like that. Was this a standard SAP installation? Why not choose for example /home/<sid>adm? Then ssh permissions will not cause any problems.

regards

Show replies
Show replies
sunny_pahuja2
Active Contributor
‎07-20-2009 10:00 AM
0 Kudos

Hi Joe,

All of our systems in landscpae like BI, ECC, NW etc. has home directory /usr/sap/<sid>/users/<sid>adm.

HOME environment variable for <sid>adm user is set to this value. That's why it is coming.

Is this not correct ? Could you please explain little bit more to get more clearity on this ?

Thanks

Sunny

Former Member
‎07-20-2009 10:22 AM
0 Kudos

Not sure whether your home directories are correct.

But clearly it is not a good idea to have that long a path for your .ssh directory.

Details about ssh permissions may be found in the Unix manual pages for ssh or sshd.

But back to your original problem:

I don't think that you need 777 for the home directory of user <sid>adm, whatever the home directory is. 700 or maybe 755 should be sufficient, if <sid>adm is the owner. In this case case both startsap and ssh should work.

If one of them doesn't work, then the cause must be permissions for some other directory.

regards

Edited by: Joe Bo. on Jul 20, 2009 11:28 AM

(755 added)

sunny_pahuja2
Active Contributor
‎07-20-2009 10:39 AM
0 Kudos

Could you please give me some link where i can find out about ssh permissions ?

Thanks

Sunny

Former Member
‎07-20-2009 10:42 AM
0 Kudos

I haven't a link at hand, sorry,

But why not go to Unix prompt and start with:

man ssh

Former Member
‎07-20-2009 10:45 AM
0 Kudos

PS:

In short: File /usr/sap/<SID>/users/<sid>adm/.ssh/id_dsa and all the directories in its path must not be writeable by anybody else but <sid>adm and root.

Answers (0)

Ask a Question