An Oracle White Paper

April 2014

Securing Access to Software Owner oracle

on Oracle Solaris in SAP Environments

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

Introduction
This paper provides instructions and best practices on how you can configure the sudo feature to
restrict direct access for software owner oracle on Oracle Solaris and thus make the SAP system
more secure. In addition this document applies to SAP installations where the Oracle software is
owned by OS user oracle (that is, an Oracle installation with Oracle Database 11g Release 2 [11.2]).
In SAP environments, ora<sid> is the oracle administration user. In Oracle environments, the standard
is to configure the user oracle as the software owner.
The goal of this configuration is to restrict the access of the software owner oracle to the users who
are responsible for installing and patching the Oracle software. Database administrators should use their
own dedicated OS account to administer databases. The software owner oracle should be used only
for installing and patching Oracle homes (and not for database administration tasks).
The solution described in this white paper restricts the sudo configuration for Oracle Solaris 10 and
11 on x86 and SPARC platforms. Furthermore there is a SAP Note (1930298 - Restricting Access to
Software Owner 'oracle') describing the solution for the Linux platform.
The Oracle Database Installation Guide (available for download at http://docs.oracle.com/cd/
E11882_01/install.112/e48357.pdf) provides instructions about how to install and configure Oracle
Database for Oracle Solaris on SPARC (64-Bit) and for Oracle Solaris on x86-64 (64 Bit).

Solutions
The sudo command allows a permitted user to execute a command as the super user or another user,
as specified by the security policy. Depending on the version and platform of Oracle Solaris OS,
additional OS packages could be required.
The sudo configuration that is described in this document will allow certain users to switch to the
oracle user without having to provide the password of the oracle user account. In this example
two OS accounts (ora<inst1> and ora<inst2>) will be granted access to oracle via sudo to
perform Oracle software installation and Oracle software patching tasks. Other database OS accounts
ora<dbsid1> and ora<dbsid2> (the database administrator OS accounts) are not allowed to
manage or change Oracle software, but they only can manage Oracle databases. Table 1 includes the
summary of OS accounts used as examples in this document.

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

TABLE 1. SUMMARY OF OS ACCOUNTS FOR SUDO CONFIGURATION ON ORACLE SOLARIS PLATFORMS

OS USER

oracle

ALLOWED TO INSTALL/PATCH ORACLE HOMES

MANAGE DATABASES

ora<inst1>

With sudo

ora<inst2>

With sudo

ora<dbsid1>

manage <DBSID1>

ora<dbsid2>

manage<DBSID2>

Sudo Configuration Solutions on Oracle Solaris 11 (x86/SPARC)

To configure sudo on Oracle Solaris 11, edit the /etc/sudoers configuration file. This file is
composed of two types of entries: aliases (basically variables) and user specifications (which specify
who may run what). In the default configuration, there are no privileges installed for any user. It is
recommend to use the visudo command to edit the sudoers file. This will provide basic checking
like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable
configuration.
1. Setup user aliases in the /etc/sudoers file:
# Oracle software administrators
User_Alias ORA_INSTALL_USERS = ora<inst1>, ora<inst2>
# Oracle database administrators
User_Alias ORA_ADMINS_USERS = ora<dbsid1>, ora<dbsid2>

2. Setup su command aliases for su command in the /etc/sudoers file:

# su aliases
Cmnd_Alias ORACLE_SU = /bin/su oracle

3. Setup user access in the /etc/sudoers file:

# Allow Oracle software administrators access to 'oracle'
ORA_INSTALL_USERS ALL = ORACLE_SU

4. Lock the oracle user account. By locking the oracle account you ensure that only the super user
or configured sudo users can access the oracle account. Locking the account prevents oracle
from logging on with any other communication services (for example, sash, ftp, telnet and
sftp).
root# passwd -l oracle
Locking password for user oracle.
passwd: Success

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

Trying to switch to oracle is now blocked (except for root):

<host>:<user>$ su - oracle
Password:
su: incorrect password
<host>:<user>$

If you want to unlock oracle, run the command: passwd -u oracle.

5. (Optional) Remove ssh access to oracle by editing the /etc/ssh/sshd_config file so that
oracle can only be accessed via sudo. With this step you prevent the user oracle from logging
on via ssh.

a)

Edit /etc/ssh/sshd_config and add the following line:

DenyUsers oracle
# Syntax for 2 and more users: DenyUsers user1 user2 oracle

b) Restart the ssh daemon:

root# service sshd restart

Actually when you lock the oracle user by running the command passwd -l oracle, you
dont need to configure a separate sshd_config anymore. If you use this, your system is safe.

Sudo Configuration Solutions on Oracle Solaris 10 (x86/SPARC)

The sudo command is considered part of the Oracle Solaris 10 1/13 release, but due to technical
reasons the sudo packages were released independently and they are not included in the Oracle Solaris
10 1/13 media.
The requirements to install the package are:

Oracle Solaris 10 1/13

Disk space needed: approximately 1.7 MB for sudo and an additional 6.3 MB for optional
installation of sudo sources

Download the file with sudo packages for Oracle Solaris 10 x86 and SPARC from My Oracle Support
(MOS, http://support.oracle.com), and place it in a temporary location where the packages can be
extracted.
Go to http://support.oracle.com/ and sign in with your MOS account (See Figure 1). Then, select
Patches & Updates Enter your Patch Name or Number (see Figure2).

Patch 16920591: SUDO - 1.8.6P7 (SPARC 32/64-bit)

Patch 16920595: SUDO - 1.8.6P7 (x86 32/64-bit)

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

Figure 1. Welcome to My Oracle Support!

Figure 2. Search Patch Name or Number in MY ORACLE SUPPORT (MOS).

Sudo is composed of the following packages

SUNWsudor

- configuration files, which are installed the /etc directory

SUNWsudou

- sudo binaries and documentation

1. Extract the packages:

# cd ${download_location}
# gunzip sudo-1.0-sudo.sparc.tar.gz
# tar xf sudo-1.0-sudo.sparc.tar

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

2. Install the packages:

# pkgadd d SUNWsudor
# pkgadd d SUNWsudou

The SUNWsudor package (sudo (root)) is a prerequisite for the SUNWsudou package.
3. Perform the same edits in the /etc/sudoers file as described previously for Oracle Solaris 11.

Appendix
Table 2 contains the commands related to sudo configuration and usage.
TABLE 2. SUDO COMMANDS

COMMAND

TASK

sudo

Executes a command as another user as permitted by the /etc/sudoers configuration file.

visudo

Allows for safer editing of the /etc/sudoers file.

The following examples illustrate usage of the sudo configuration described in this paper.

Sudo users (such as ora<inst1>) who can use sudo to switch to user oracle:
# <host>:ora<inst1>$ sudo su - oracle
Oracle Corporation
SunOS 5.10
Sudo-Configuration on Solaris10X8
<host>:oracle$

Generic Patch

January 2005

Users (such as ora<dbsid1>) that are not configured for sudo will be blocked:
#<host>:ora<dbsid1>$ sudo su - oracle
[sudo] password for oracle:
ora<dbsid1> is not in the sudoers file. This incident will be reported.

Logging on as oracle via ssh is blocked:

# ssh <host> -l oracle
oracle@<host>'s password:
Permission denied, please try again

Securing Access to Software Owner oracle on Oracle Solaris in SAP Environments

References
For more information about Oracle Solaris and SAP products, see the following documents:

SAP Note 1930298 Restricting Access to Software Owner oracle

Oracle Exadata Database Machine Consolidation: Segregating Databases and Roles:

http://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidatedroles-459605.pdf

Oracle Database Installation Guide 11g Release 2 (11.2) for Oracle Solaris:
http://docs.oracle.com/cd/E11882_01/install.112/e48357.pdf

Oracle Application Adapter for SAP R/3 Installation Guide:

http://docs.oracle.com/cd/E14981-01/wli/docs1031/pdf/sap_adapter_install.pdf

Securing Access to Software Owner oracle

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

on Oracle Solaris in SAP Environments

April 2014
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This
document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Phone: +1.650.506.7000
Fax: +1.650.506.7200

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are

oracle.com/solutions/SAP

trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113