Authorizations for Starting External Programs 
You can prevent unauthorized starting of external programs either by maintaining the secinfo file in the data directory of the gateway instance or by setting the gw/rem_start profile parameter.
For more information, see: Parameterization of the SAP Gateway
Caution
This file is not available in the standard system - this means that all programs can be started by any user. By accessing the SAP gateway from the network unauthorized users can execute all operating system commands on an SAP system.
If this file is available but does not contain any entries, no program at all can be started.
Successful and rejected calls can be determined using Gateway Logging with indicator S.
Recommendation
To control access to external programs, we strongly recommend a secinfo configuration of the SAP system.
Prerequisites
Parameter gw/sec_info must be set on the path to the secinfo file so that the gateway can find the secinfo file in the right place.
For more information, see:
Procedure
Maintain file secinfo in data directory of the gateway instance, or set parameter gw/sec_info.
The syntax of the entries is as follows:
Syntax
USER=<user>, [PWD=<pwd>,] [USER-HOST=<user_host>,] HOST=<host>,TP=<tp>
As separators you can use commas or spaces. If the TP name itself contains spaces, you have to use commas instead.
Use a line of this format to allow the user <user> to start the <tp> program on the host <host>.
The level of authorization checking performed can be increased by specifying PWD and/or USER-HOST.
Example
USER=mueller, HOST=hw1414, TP=test: The user mueller can execute the test program on the host hw1414.
USER=hugo, PWD=pass, USER-HOST=hw1234, HOST=hw1414, TP=prog: The user hugo can execute the prog program on the host hw1414, as long as he logged on to the Gateway from host hw1234 and used the CPI-C call CMSCSP to set the security password to pass.
If the user has used the CMSCSU call to set the security user, then this is also used for checking.
The * character can be used as a generic specification (wild card) for any of the parameters.
If either of PWD or USER-HOST are not specified, the value * is assumed.
Example
All users should be allowed to execute the test program on the host hw1414:
USER=*, HOST=hw1414, TP=test
Explicit Registration Permission or Forbiddance
The syntax described here does not enable programs to be explicitly forbidden from being started. For this reason, as an option you can work with a syntax that complies with the route permission table of the SAProuter. If you want to use this syntax, the whole file must be structured accordingly and the first line must contain the entry #VERSION=2 (written precisely in this case).
Syntax
P|D USER=<user>, [PWD=<pwd>,] [USER-HOST=<user_host>,] HOST=<host>,TP=<tp>
Here the line starting with P or D, followed by a space or a TAB, has the following meaning:
P means that the program is permitted to be started (the same as a line with the old syntax)
D prevents this program from being started.
Below you can find an example.
Displaying Security Settings
You can display the current list of security entries using the SAP Gateway Monitor and you can update this display at any time.
Example
Example of a secinfo file in new syntax
#VERSION=2 D HOST=* USER=* TP=/bin/sap/cpict4 P HOST=* USER=* TP=/bin/sap/cpict* D TP=hugo PWD=secret HOST=local USER=* |
This file means:
Program cpict4 is not permitted to be started.
All other programs starting with cpict4 are allowed to be started (on every host and by every user).
Program hugo is allowed to be started with password secret on every local host and by every user.