Solved: Risk of Users having Access to RSBDCOS0

Former Member · ‎08-10-2011

Hi all. I'm carrying out a security review. I know that it allows users to input UNIX commands but was wondering what the risk was associated with this and what damage could be done?

Thanks

Former Member · ‎08-10-2011

Hi John,

It lets you run commands on the server using the permissions of the user that SAP uses to interact with the server. Basically you can trash the FS and the DB with the standard permissions for the user.

Former Member · ‎08-10-2011

Hi John,

It lets you run commands on the server using the permissions of the user that SAP uses to interact with the server. Basically you can trash the FS and the DB with the standard permissions for the user.

Former Member · ‎08-10-2011

Thanks. How do you find out what user this is or is it one of the standard service accounts? What does FS stand for?

Former Member · ‎08-10-2011

sorry, FS is the file system on the OS. Generally the SAP user (<SID>ADM) will have access to a specific set of files and directories which are required for the operation of the SAP system. Depending how the user is set up will ultimately define how much damage could potentially be caused by exploiting it's permissions through an OS command from SAP.

Former Member · ‎08-10-2011

The report can be run from anywhere but makes the same checks as SM69 etc.

You need to concentrate on the application authorizations of the users (all of them). Particularly S_RZL_ADM (very blunt) and S_LOG_COM (which provides some degree of granularity).

A developer can also use DATASET commands and CALL 'SYSTEM' to achieve the same, so add all aspects of S_DEVELOP to the list as well.

If you set your gateway control files to "local" or "internal" only then the risk is transfered to the application layer (hence, the 3 above mentioned auth objects).

That leaves only Z* and Y* and /* programs as the "blackbox". It makes sense to check them as well....

Cheers,

Julius