There are certain precautions to take when using any of the following properties, files or services:
SUID/SGID programs
The SUID/SGID property gives programs extended privileges that exceed the privileges possessed by the caller.
Every UNIX system contains a large number of these programs for administrative purposes. These programs may contain known errors that unauthorized users may be able to take advantage of in order to assign new access rights to themselves.
For example, the SENDMAIL
program is such a SUID program. We recommend that you only use versions of SENDMAIL
(or similar SUID programs) in which known errors have been corrected.
Password file (passwd
)
Although UNIX hashes passwords before storing them in this file, a user could use a dictionary-attack program to discover password information contained in this file.
You can improve security by using a shadow password file that allows only the user root
to access the password information.
BSD services rlogin
and remsh/rsh
,
These services permit remote access to UNIX machines. At logon, the files /etc/host.equiv
and $HOME/.rhosts
are checked. If either of these files contains the hostname or the IP address of the connection originator or a wildcard character (+
), then the user can log on without having to supply a password.
Be aware that the UNIX services for rlogin
and remsh/rsh
are especially dangerous in regard to security. We recommend that you deactivate these services in the inetd.conffile
unless you need them for specific purposes. In most cases, you can use secure alternatives like SSH as a drop-in replacement.
Network Information System (NIS)
You can use the Network Information System (NIS) to manage user data and passwords centrally. This service allows every UNIX machine in a local area network to read the password file using the ypcat passwd
command, including password hashes. Secure alternatives can be LDAP (with SSL/TLS) or Kerberos.
Network File System (NFS)
This service makes directories available across the network. It is a service that is also frequently used in the SAP system environment to make transport and work directories accessible over the network.
There are certain security risks involved when using these services and you should take special precautions. Be careful when determining which directories should be made available. Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to known and “trustworthy” systems only. Be careful when assigning write authorization for NFS paths and avoid distributing the home directories of users across NFS.
NFS security is host-based, i.e. it connects trusted hosts (in contrast to SMB, which has user-based security) which have to ensure that user permissions are enforced (for example, the local root
user on any of the allowed NFS clients can bypass any NFS file permissions by impersonating the user owning the file). The maximum security that can be established with NFSv3 is a DNS (reverse) lookup check of the NFS client. With NFSv4, eg. Kerberos can be used to authenticate the NFS clients in a more secure way. However, the user impersonation issue persists.
X Windows
There are security issues involved with the use of X Windows. Therefore, for an SAP system installation, check if you need to have the corresponding X server running on an SAP application server. If not, then disable this service. Otherwise, take precautions according to your vendor to protect this service. On Linux, X is started with -nolisten tcp
by default, which avoids these issues.
Summary
To summarize the precautions that you must take, especially pertaining to NIS, NFS and the BSD remote services, adhere to the following guidelines:
Disable any services that you do not need.
To ensure a safe environment when using any of these services, follow the instructions of your OS vendor. Also use tools for monitoring activities to help you detect potential misuse of these services.
If you do use these services, then use them only within a secure LAN.
Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to “trustworthy” systems only.
Protect the following users: root
, <sid>adm
and <db><sid>
. These users should be the only users that exist on your application servers and your main instance at the operating system level. After installation, you must lock <db><sid>
on your application servers.
For critical users, empty the .rhosts
files and assign it the 000
permissions.
Either delete the file /etc/hosts.equiv
or make sure that it is empty.
Keep your operating system up to date regarding security-related patches that are released by your operating system vendor!