SUID/SGID programs

The SUID/SGID property gives programs extended privileges that exceed the privileges possessed by the caller.

Every UNIX system contains a large number of these programs for administrative purposes. These programs may contain known errors that unauthorized users may be able to take advantage of in order to assign new access rights to themselves.

For example, the SENDMAIL program is such a SUID program. We recommend that you only use versions of SENDMAIL (or similar SUID programs) in which known errors have been corrected.

Password file (passwd)

Although UNIX hashes passwords before storing them in this file, a user could use a dictionary-attack program to discover password information contained in this file.

You can improve security by using a shadow password file that allows only the user root to access the password information.

BSD services rlogin and remsh/rsh,

These services permit remote access to UNIX machines. At logon, the files /etc/host.equiv and $HOME/.rhosts are checked. If either of these files contains the hostname or the IP address of the connection originator or a wildcard character (+), then the user can log on without having to supply a password.

Be aware that the UNIX services for rlogin and remsh/rsh are especially dangerous in regard to security. We recommend that you deactivate these services in the inetd.conffile unless you need them for specific purposes. In most cases, you can use secure alternatives like SSH as a drop-in replacement.

Network Information System (NIS)

You can use the Network Information System (NIS) to manage user data and passwords centrally. This service allows every UNIX machine in a local area network to read the password file using the ypcat passwd command, including password hashes. Secure alternatives can be LDAP (with SSL/TLS) or Kerberos.

Network File System (NFS)

This service makes directories available across the network. It is a service that is also frequently used in the SAP system environment to make transport and work directories accessible over the network.

There are certain security risks involved when using these services and you should take special precautions. Be careful when determining which directories should be made available. Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to known and “trustworthy” systems only. Be careful when assigning write authorization for NFS paths and avoid distributing the home directories of users across NFS.

NFS security is host-based, i.e. it connects trusted hosts (in contrast to SMB, which has user-based security) which have to ensure that user permissions are enforced (for example, the local root user on any of the allowed NFS clients can bypass any NFS file permissions by impersonating the user owning the file). The maximum security that can be established with NFSv3 is a DNS (reverse) lookup check of the NFS client. With NFSv4, eg. Kerberos can be used to authenticate the NFS clients in a more secure way. However, the user impersonation issue persists.

X Windows

There are security issues involved with the use of X Windows. Therefore, for an SAP system installation, check if you need to have the corresponding X server running on an SAP application server. If not, then disable this service. Otherwise, take precautions according to your vendor to protect this service. On Linux, X is started with -nolisten tcp by default, which avoids these issues.

Summary

To summarize the precautions that you must take, especially pertaining to NIS, NFS and the BSD remote services, adhere to the following guidelines: