Solved: SAP system access for UNIX root id

Former Member · ‎03-16-2007

Hi All

I am working with auditor and the question came about UNIX root access.

My question is, can someone with UNIX root acces can gain accesss to SAP system through backdoor. If yes, how do we secure it.

Thanks.

WolfgangJanzen · ‎03-16-2007

Well, what can an UNIX user with uid 0 do ...?

He can impersonate any other user (su), change ownership (chown) and access rights of files (chmod) and therefore replace any files (including executables of an application server). In other words: he can do everything which impacts the overall security of the entire system.

That effects all applications running on that UNIX server, including the DBMS and an SAP application server (ABAP / Java / ...).

Actually he could even modify the UNIX kernel ...

So, one which knows the password of an UNIX user with uid 0 (i.e. "root" or any "root alias") is extremely powerful and only limited by his technical skills and/or his loyalty (whatever limit is reached first).

Cheers, Wolfgang

WolfgangJanzen · ‎03-16-2007

Well, what can an UNIX user with uid 0 do ...?

He can impersonate any other user (su), change ownership (chown) and access rights of files (chmod) and therefore replace any files (including executables of an application server). In other words: he can do everything which impacts the overall security of the entire system.

That effects all applications running on that UNIX server, including the DBMS and an SAP application server (ABAP / Java / ...).

Actually he could even modify the UNIX kernel ...

So, one which knows the password of an UNIX user with uid 0 (i.e. "root" or any "root alias") is extremely powerful and only limited by his technical skills and/or his loyalty (whatever limit is reached first).

Cheers, Wolfgang

tim_alsop · ‎03-16-2007

Julio,

I suggest you look closely at who has root access to your production servers, what methods you use to logon to systems as root (e.g. you might only allow root logon from server console) and ensure that root passwords are NOT shared, and root access is tightly controlled, and audited. I have seen some companies use products where every command entered by somebody logged on as root is written to a secure log (e.g. one which cannot be changed to allow somebody to cover up their mistakes). You may not want to invest in such a product, but instead just make sure when somebody logs onto a system as root that you know who it was/is, and that they are a trusted sys admin, and not somebody less trusted logging on as root because they have discovered what the root password is. Basically, if root access is used to damage your system you need to be sure that you can find the person who logged on, and that you can find out what they did to repair it quickly.

I hope this helps ?

Thanks,

Tim

Thomas_Berger · ‎03-21-2007

with su - <sid>adm the root user can change his session to the <sid>adm session -

after them he can connect without password (sqlplus '/ as sysdba') to the oracle database as sysdba! when the sapparamter login/no_automatic_user_sapstar is not = 0 you got

a problem

thomas

tim_alsop · ‎03-21-2007

Thomas,

A user logged on as root can do even more damage if they like. e.g.

cd /
rm -rf *

A denial-of-service attack ?

Hence, the reason why it is very very very important to control who can log onto root user account, and when somebody is logged on as root you need to trust them and control what they can and cannot do.

Thanks again,

Tim

WolfgangJanzen · ‎03-21-2007

I'm with Tim: when you cannot apply technical restrictions / control mechanisms you have to deploy organizational restrictions / control mechanisms.

Regards, Wolfgang

PS: please keep in mind that "root" may not be the only UNIX user with UID = 0 ...