Beruflich Dokumente
Kultur Dokumente
April 2014
Introduction
This paper provides instructions and best practices on how you can configure the sudo feature to
restrict direct access for software owner oracle on Oracle Solaris and thus make the SAP system
more secure. In addition this document applies to SAP installations where the Oracle software is
owned by OS user oracle (that is, an Oracle installation with Oracle Database 11g Release 2 [11.2]).
In SAP environments, ora<sid> is the oracle administration user. In Oracle environments, the standard
is to configure the user oracle as the software owner.
The goal of this configuration is to restrict the access of the software owner oracle to the users who
are responsible for installing and patching the Oracle software. Database administrators should use their
own dedicated OS account to administer databases. The software owner oracle should be used only
for installing and patching Oracle homes (and not for database administration tasks).
The solution described in this white paper restricts the sudo configuration for Oracle Solaris 10 and
11 on x86 and SPARC platforms. Furthermore there is a SAP Note (1930298 - Restricting Access to
Software Owner 'oracle') describing the solution for the Linux platform.
The Oracle Database Installation Guide (available for download at http://docs.oracle.com/cd/
E11882_01/install.112/e48357.pdf) provides instructions about how to install and configure Oracle
Database for Oracle Solaris on SPARC (64-Bit) and for Oracle Solaris on x86-64 (64 Bit).
Solutions
The sudo command allows a permitted user to execute a command as the super user or another user,
as specified by the security policy. Depending on the version and platform of Oracle Solaris OS,
additional OS packages could be required.
The sudo configuration that is described in this document will allow certain users to switch to the
oracle user without having to provide the password of the oracle user account. In this example
two OS accounts (ora<inst1> and ora<inst2>) will be granted access to oracle via sudo to
perform Oracle software installation and Oracle software patching tasks. Other database OS accounts
ora<dbsid1> and ora<dbsid2> (the database administrator OS accounts) are not allowed to
manage or change Oracle software, but they only can manage Oracle databases. Table 1 includes the
summary of OS accounts used as examples in this document.
OS USER
oracle
MANAGE DATABASES
ora<inst1>
With sudo
ora<inst2>
With sudo
ora<dbsid1>
manage <DBSID1>
ora<dbsid2>
manage<DBSID2>
4. Lock the oracle user account. By locking the oracle account you ensure that only the super user
or configured sudo users can access the oracle account. Locking the account prevents oracle
from logging on with any other communication services (for example, sash, ftp, telnet and
sftp).
root# passwd -l oracle
Locking password for user oracle.
passwd: Success
a)
DenyUsers oracle
# Syntax for 2 and more users: DenyUsers user1 user2 oracle
Actually when you lock the oracle user by running the command passwd -l oracle, you
dont need to configure a separate sshd_config anymore. If you use this, your system is safe.
Disk space needed: approximately 1.7 MB for sudo and an additional 6.3 MB for optional
installation of sudo sources
Download the file with sudo packages for Oracle Solaris 10 x86 and SPARC from My Oracle Support
(MOS, http://support.oracle.com), and place it in a temporary location where the packages can be
extracted.
Go to http://support.oracle.com/ and sign in with your MOS account (See Figure 1). Then, select
Patches & Updates Enter your Patch Name or Number (see Figure2).
SUNWsudou
The SUNWsudor package (sudo (root)) is a prerequisite for the SUNWsudou package.
3. Perform the same edits in the /etc/sudoers file as described previously for Oracle Solaris 11.
Appendix
Table 2 contains the commands related to sudo configuration and usage.
TABLE 2. SUDO COMMANDS
COMMAND
TASK
sudo
visudo
The following examples illustrate usage of the sudo configuration described in this paper.
Sudo users (such as ora<inst1>) who can use sudo to switch to user oracle:
# <host>:ora<inst1>$ sudo su - oracle
Oracle Corporation
SunOS 5.10
Sudo-Configuration on Solaris10X8
<host>:oracle$
Generic Patch
January 2005
Users (such as ora<dbsid1>) that are not configured for sudo will be blocked:
#<host>:ora<dbsid1>$ sudo su - oracle
[sudo] password for oracle:
ora<dbsid1> is not in the sudoers file. This incident will be reported.
References
For more information about Oracle Solaris and SAP products, see the following documents:
Oracle Database Installation Guide 11g Release 2 (11.2) for Oracle Solaris:
http://docs.oracle.com/cd/E11882_01/install.112/e48357.pdf
This document is provided for information purposes only, and the contents hereof are subject to change without notice. This
document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Phone: +1.650.506.7000
Fax: +1.650.506.7200
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
oracle.com/solutions/SAP
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113