Vulnerability AIX server (GROUPS/USERS) and SAP Systems ?

Thread Tools Search this Thread
Operating Systems AIX Vulnerability AIX server (GROUPS/USERS) and SAP Systems ?
# 1  
Old 09-29-2009
Error Vulnerability AIX server (GROUPS/USERS) and SAP Systems ?

I hope you can understand me, although my english is not so good.
I have a problem. I have installed 4 SAP Systems with different releases on the same server (AIX). Each SAP system has got its own operating system user through the installation. But all users belong to the group SAPSYS. So in other SAP users to inventory the existing look or read files. Here's my question: How do I implement it that the group SAPSYS will not be deleted but the user can't read or look of any other system-dependent files? It should be borne in mind that I may not use any other right structure for the files because the SAP system would not run otherwise. How can I add the group SAPSYS for all SAP Systems, without that the user of the same group can read other Systemfiles? May sound silly but it's a real problem.Smilie
Thanks in advance for your answers.

# 2  
Old 10-04-2009
are all your 4 sap environments writing into the same directory? Or into 4 different directories that are just 'owned' by the same group?

In first case I don't know a solution for you except on filebasis but that will be a real bad amount of ongoing work.
In second case - create 4 additional groups SAPSYS1 SAPSYS2 SAPSYS3 SAPSYS4 and work with acl lists ... allow and forbid access to the directories accordingly to the environments that are writing into them - since the most restrictive permission always wins, only the users that are allowed to access due to the secondary group will be allowed to access the corresponding directory. If you want e.g. root to read all of them, just dont put the user into the subgroups.

Hope that helps
# 3  
Old 10-05-2009
I do not know a solution for your problem Muhammet, but I'd be cautious when implementing one. Your SAP systems need to read other systemfiles, like /etc/services which do not belong to group sapsys, to work properly.
# 4  
Old 10-05-2009
Originally Posted by momok1976
How can I add the group SAPSYS for all SAP Systems, without that the user of the same group can read other Systemfiles?
Lets see if i have understood you correctly:

You have 4 instances of SAP on one system with 4 different system users. All the system users belong to group SAPSYS, but shouldn't be able to access the system files of the other installations.

Classic UNIX solution would be: remove the read/write access for the group from the top directories of the installations. You won't have to change anything else because rights are inherited top-down: if a user can't access a directory he can't access its subdirectories even if they would allow this by their own file mode.

When you are finished it should look like the following sketch. sap1-4 are the sap users for instance1-4:

root@your.system:/usr/sap$ ls -l
total 16
drwx------ 2 sap1 sapsys 4096 2009-10-06 01:25 instance1
drwx------ 2 sap2 sapsys 4096 2009-10-06 01:25 instance2
drwx------ 2 sap3 sapsys 4096 2009-10-06 01:25 instance3
drwx------ 2 sap4 sapsys 4096 2009-10-06 01:25 instance4

I hope this helps.

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Change password for many users on an AIX server

Hi I want to change password for around 100 users on an aix server. I have the list of those 100 users with me. instead of doing # passwd username for all the 100 users one by one, can you please help with a script through which we can change the password for all the 100 users in a... (2 Replies)
Discussion started by: newtoaixos
2 Replies

2. UNIX for Advanced & Expert Users

Creating groups and users

Hi Could anyone please suggest how we can check in Linux if a user or a group name is already existing? In case of a user the command should also be able to specify the user with a given directory and shell. We can of course check this using a grep command but since that is just a pattern match,... (12 Replies)
Discussion started by: Dorothy
12 Replies

3. UNIX for Dummies Questions & Answers

List users and groups

Hi I am new to unix so hopefully someone can help. I need to list all the users I have in my unix enviroment (AIX) and the groups (primary and secondary) they belong to. Can anyone help? Many thanks in advance (2 Replies)
Discussion started by: m3y
2 Replies

4. UNIX for Advanced & Expert Users

quick remote health check SAP systems from UNIX commandline

Hi folks Howto do quick remote health check for SAP systems on UNIX commandline? To see if a SAP system is down or in maintenace mode (no login). I am searching something like "tnsping"/Oracle for SAP systems. (2 Replies)
Discussion started by: slashdotweenie
2 Replies

5. Shell Programming and Scripting

AIX os level 6.1 for list of users and groups

I have a AIX server o/s and a few at o/s The issue I am haveing is running this on the server with o/s of 5.3 works good but not on the o/s of 6.1 any help out here?? #!/usr/bin/ksh user -a pgrp groups ALL |awk '{print $1}' > a1 lsuser -a pgrp groups ALL |awk '{print $2}'|cut... (4 Replies)
Discussion started by: Jcraft
4 Replies

6. Solaris

/usr/sap/psu file systems full.

Hi Ive been facing a prob today in SAP which is been installed in solaris .the prob is one of my file systems tat is /usr/sap/psu is gettin full.i chkd the file named core which gets generated so i was asked to delete that file after doing tat my file systems space was 90%,but the prob is that... (0 Replies)
Discussion started by: madanmeer
0 Replies

7. Solaris

Removing users from groups

How do I remove a user from a group? I'm using the usermod command but its not working. I have a user "abc" who is a member of the groups root and other. I'm trying to remove him from the group "other" (using CLI) which is his secondary group but it's not working. How do I do this? Is there any... (11 Replies)
Discussion started by: the_red_dove
11 Replies

8. UNIX for Dummies Questions & Answers

users and groups

hi eveyone i've recently requested my unix admin to create a userid for 2 groups. He created the id and i can see it by grep "id" /etc/group. But when i login with that id into unix and try to cd that group it says permission denied. something like cd /groupname -- permission denied Can my admin... (1 Reply)
Discussion started by: sammet
1 Replies

9. Linux

listing users and groups

RH 7.2 I'm trying to list the users & groups on my machine. I found the lsuser & lsgroup commands but no associated man pages. I typed: lsuser I get --> Valid options are: -a So I typed: lsuser -a I get --> Valid options are: groups, home So I typed: lsuser -a groups I get -->... (2 Replies)
Discussion started by: jalburger
2 Replies

10. Cybersecurity

Users and groups

Hi, Is it possible that one user belongs to many groups, or the relation of user/group is 1/1?. Thanks Ramón (2 Replies)
Discussion started by: rsanz
2 Replies
Login or Register to Ask a Question