SAP R/3 work processes create files that are readable and writeable by all unix users (file permissions -rw-rw-rw- ) since the work processes ignore the umask setting for the
umask, chmod, file-permission, file-protection
- 1. Batch protocols, spool data and other "TemSe objects".
----------------------------------------------------------
The umask used by the TemSe object management system with R/3 is set by the R/3 profile parameter 'install/umask'. And for your release it is true: as long as this parameter is not set, it defaults to '000'.
I am not happy with that, but it was implemented like that, because many other customers did not think about the UNIX user ids, they where using for starting application servers. (In release 3.0 the default was changed to '077'.)
Many customers I talked to, did not think about protection at all. And the others had done a chmod 700 /usr/sap/C11/SYS/global
In normal cases all TemSe files are in directories /usr/sap/C11/SYS/global/
- 2. SAP-Trace:
--------------
/usr/sap/C11/D*/log/TRACE*
Profile parameter 'install/umask' is used also.
- 3. SysLog:
-----------
The central syslog and all the status files are created using '133'. That is not modifyable. If you want to read protect the global syslog, you have to protect /usr/sap/C11/SYS/global.
The local syslog files are created with profile parameter 'install/umask'.
- 4. "developer traces"
----------------------
All the files /usr/sap/C11/D*/work/dev_* are created with umask '111'. But as long as your trace level is low ("rdisp/TRACE=1"), they dont contain dangerous data.
Set profile parameter "install/umask = 077".
No comments:
Post a Comment