on 07-19-2009 8:36 PM
Hi All,
I want to discuss about permission of /usr/sap/<SID> folder.
We faced a problem in past when we were trying to start SAP via startsap script, system was not able to start database.
But If we started database seperately from sql and then tried to start SAP system, it was successfully start. I did a root cause and found that system was trying to write a dynamic startdb.sql script in /usr/sap/<SID>/users/<sid>adm. But the permisson on this directory was 700 and i changed the permission to 777 on /usr/sap/<SID> and the system was started successfully from startsap script and able to start the database.
But later on some collegaue told me that 777 permission on /usr/sap/<sid> is not right because of that some idocs was stucked in the system as permission on file that exchange ssh keys to application servers should be 600 but i gave it to 777 as it lies in /usr/sap/<SID>/users/<sid>adm/.ssh/id_dsa
So, my questions are :
1) Could someone suggest what is right permission on this directory or if someone has some sap note or link where i can find the correct permission on this folder or permission on other directories as well (like /usr/sap/<SID>/DVE... etc.)
2) As per my knowledge, if we will give a file or directory more permission then it should not be a problem unless permission will not be reduced.
Please suggest.
My database is Oracle 10.2.0.4 and OS is HP-UX IA64 11.23.
Thanks
Sunny
Hello,
your colleague is absolutely right. For security reasons ssh keys will only work if permissions are not granted too generously. Otherwise it would be easy to circumvent security.
What is a bit strange imho, is the home directory of your <sid>adm user. It seems to be /usr/sap/<SID>/users/<sid>adm. Never seen something like that. Was this a standard SAP installation? Why not choose for example /home/<sid>adm? Then ssh permissions will not cause any problems.
regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Joe,
All of our systems in landscpae like BI, ECC, NW etc. has home directory /usr/sap/<sid>/users/<sid>adm.
HOME environment variable for <sid>adm user is set to this value. That's why it is coming.
Is this not correct ? Could you please explain little bit more to get more clearity on this ?
Thanks
Sunny
Not sure whether your home directories are correct.
But clearly it is not a good idea to have that long a path for your .ssh directory.
Details about ssh permissions may be found in the Unix manual pages for ssh or sshd.
But back to your original problem:
I don't think that you need 777 for the home directory of user <sid>adm, whatever the home directory is. 700 or maybe 755 should be sufficient, if <sid>adm is the owner. In this case case both startsap and ssh should work.
If one of them doesn't work, then the cause must be permissions for some other directory.
regards
Edited by: Joe Bo. on Jul 20, 2009 11:28 AM
(755 added)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.