8/19/2019 Sudo Security Solaris

1/8

 

 An Oracle White Paper

 April 2014

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

8/19/2019 Sudo Security Solaris

2/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

1

Introduction

 This paper provides instructions and best practices on how you can configure the sudo feature to

restrict direct access for software owner oracle on Oracle Solaris and thus make the SAP systemmore secure. In addition this document applies to SAP installations where the Oracle software is

owned by OS user oracle (that is, an Oracle installation with Oracle Database 11 g  Release 2 [11.2]).

In SAP environments, ora is the oracle administration user . In Oracle environments, the standard

is to configure the user oracle as the software owner .

 The goal of this configuration is to restrict the access of the software owner oracle to the users who

are responsible for installing and patching the Oracle software. Database administrators  should use their

own dedicated OS account to administer databases. The software owner oracle should be used only

for installing and patching Oracle homes (and not for database administration tasks).

 The solution described in this white paper restricts the sudo configuration for Oracle Solaris 10 and

11 on x86 and SPARC platforms. Furthermore there is a SAP Note ( 1930298 - Restricting Access to

Software Owner 'oracle') describing the solution for the Linux platform.

 The Oracle Database Installation Guide  (available for download at http://docs.oracle.com/cd/

E11882_01/install.112/e48357.pdf  ) provides instructions about how to install and configure Oracle

Database for Oracle Solaris on SPARC (64-Bit) and for Oracle Solaris on x86-64 (64 Bit).

Solutions

 The sudo command allows a permitted user to execute a command as the super user or another user,

as specified by the security policy. Depending on the version and platform of Oracle Solaris OS,

additional OS packages could be required. The sudo configuration that is described in this document will allow certain users to switch to the

oracle user without having to provide the password of the oracle user account. In this example

two OS accounts ( ora and ora) will be granted access to oracle  via sudo to

perform Oracle software installation and Oracle software patching tasks. Other database OS accounts

ora and ora (the database administrator OS accounts) are not allowed to

manage or change Oracle software, but they only can manage Oracle databases. Table 1 includes the

summary of OS accounts used as examples in this document.

http://service.sap.com/sap/support/notes/1930298http://service.sap.com/sap/support/notes/1930298http://service.sap.com/sap/support/notes/1930298http://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://service.sap.com/sap/support/notes/1930298http://service.sap.com/sap/support/notes/1930298

8/19/2019 Sudo Security Solaris

3/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

2

TABLE 1. SUMMARY OF OS ACCOUNTS FOR SUDO CONFIGURATION ON ORACLE SOLARIS PLATFORMS

OS USER ALLOWED TO INSTALL/PATCH ORACLE HOMES MANAGE DATABASES

oracle  

ora  With sudo

ora  With sudo

ora  manage

ora  manage

Sudo Configuration Solutions on Oracle Solaris 11 (x86/SPARC)

 To configure sudo on Oracle Solaris 11, edit the /etc/sudoers configuration file. This file iscomposed of two types of entries: aliases (basically variables) and user specifications (which specify

 who may run what). In the default configuration, there are no privileges installed for any user. It is

recommend to use the visudo command to edit the sudoers file. This will provide basic checking

like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable

configuration.

1. Setup user aliases in the /etc/sudoers file:

# Oracle software administratorsUser_Alias ORA_INSTALL_USERS = ora, ora

# Oracle database administrators

User_Alias ORA_ADMINS_USERS = ora, ora

2. Setup su command aliases for su command in the /etc/sudoers file:

# su aliasesCmnd_Alias ORACLE_SU = /bin/su – oracle

3. Setup user access in the /etc/sudoers file:

# Allow Oracle software administrators access to 'oracle'ORA_INSTALL_USERS ALL = ORACLE_SU

4. Lock the oracle user account. By locking the oracle account you ensure that only the super user

or configured sudo users can access the oracle account. Locking the account prevents oracle from logging on with any other communication services (for example, sash, ftp, telnet and

sftp ).

root# passwd -l oracle Locking password for user oracle.passwd: Success

8/19/2019 Sudo Security Solaris

4/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

3

 Trying to switch to oracle is now blocked (except for root):

:$ su - oraclePassword:su: incorrect password:$

If you want to unlock oracle, run the command: passwd -u oracle. 

5. (Optional) Remove ssh access to oracle by editing the /etc/ssh/sshd_config file so that

oracle can only be accessed via sudo. With this step you prevent the user oracle from logging

on via ssh.

a)  Edit /etc/ssh/sshd_config and add the following line:

DenyUsers oracle

# Syntax for 2 and more users: DenyUsers user1 user2 oracle

b) Restart the ssh daemon:

root# service sshd restart 

 Actually when you lock the oracle user by running the command ’passwd -l oracle’, you

don’t need to configure a separate sshd_config anymore. If you use this, your system is safe.

Sudo Configuration Solutions on Oracle Solaris 10 (x86/SPARC)

 The sudo command is considered part of the Oracle Solaris 10 1/13 release, but due to technical

reasons the sudo packages were released independently and they are not included in the Oracle Solaris

10 1/13 media.

 The requirements to install the package are:

  Oracle Solaris 10 1/13

  Disk space needed: approximately 1.7 MB for sudo and an additional 6.3 MB for optional

installation of sudo sources

Download the file with sudo packages for Oracle Solaris 10 x86 and SPARC from My Oracle Support

(MOS, http://support.oracle.com), and place it in a temporary location where the packages can be

extracted.

Go to http://support.oracle.com/  and sign in with your MOS account (See Figure 1). Then, select

Patches & Updates Enter your Patch Name or Number (see Figure2).

  Patch 16920591: SUDO - 1.8.6P7 (SPARC 32/64-bit)

  Patch 16920595: SUDO - 1.8.6P7 (x86 32/64-bit)

http://support.oracle.com/http://support.oracle.com/http://support.oracle.com/http://support.oracle.com/

8/19/2019 Sudo Security Solaris

5/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

4

Figure 1. Welcome to My Oracle Support!

Figure 2. Search Patch Name or Number in MY ORACLE SUPPORT (MOS).

Sudo is composed of the following packages

  SUNWsudor - configuration files, which are installed the /etc directory

  SUNWsudou - sudo binaries and documentation

1. Extract the packages:

# cd ${download_location} # gunzip sudo-1.0-sudo.sparc.tar.gz # tar xf sudo-1.0-sudo.sparc.tar 

8/19/2019 Sudo Security Solaris

6/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

5

2. Install the packages:

# pkgadd –d SUNWsudor # pkgadd –d SUNWsudou 

 The SUNWsudor package ( “sudo (root)” ) is a prerequisite for the SUNWsudou package.

3. Perform the same edits in the /etc/sudoers file as described previously for Oracle Solaris 11.

 Appendix

 Table 2 contains the commands related to sudo configuration and usage.

TABLE 2. SUDO COMMANDS

COMMAND TASK

sudo Executes a command as another user as permitted by the /etc/sudoers configuration file.

visudo  Allows for safer editing of the/etc/sudoers file.

 The following examples illustrate usage of the sudo configuration described in this paper.

  Sudo users (such as ora ) who can use sudo to switch to user oracle:

# :ora$ sudo su - oracle Oracle Corporation SunOS 5.10 Generic Patch January 2005Sudo-Configuration on Solaris10X8:oracle$

  Users (such as ora ) that are not configured for sudo will be blocked:

#:ora$ sudo su - oracle [sudo] password for oracle:ora is not in the sudoers file. This incident will be reported.

  Logging on as oracle via ssh is blocked:

# ssh -l oracleoracle@'s password:Permission denied, please try again

8/19/2019 Sudo Security Solaris

7/8

Securing Access to Software Owner ‘oracle’ on Oracle Solaris in SAP Environments

6

References

For more information about Oracle Solaris and SAP products, see the following documents:

  SAP Note 1930298 –  R estricting Access to Software Owner ‘oracle’ 

  Oracle Exadata Database Machine Consolidation: Segregating Databases and Roles:

http://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-

roles-459605.pdf  

  Oracle Database Installation Guide 11 g  Release 2 (11.2) for Oracle Solaris: 

http://docs.oracle.com/cd/E11882_01/install.112/e48357.pdf

  Oracle Application Adapter for SAP R/3 Installation Guide:

http://docs.oracle.com/cd/E14981-01/wli/docs1031/pdf/sap_adapter_install.pdf  

http://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-roles-459605.pdfhttp://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-roles-459605.pdfhttp://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-roles-459605.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://docs.oracle.com/cd/E14981-01/wli/docs1031/pdf/sap_adapter_install.pdfhttp://docs.oracle.com/cd/E14981-01/wli/docs1031/pdf/sap_adapter_install.pdfhttp://docs.oracle.com/cd/E14981-01/wli/docs1031/pdf/sap_adapter_install.pdfhttp://docs.oracle.com/cd/E11882_01/install.112/e48357.pdfhttp://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-roles-459605.pdfhttp://www.oracle.com/technetwork/database/focus-areas/availability/maa-exadata-consolidated-roles-459605.pdf

8/19/2019 Sudo Security Solaris

8/8

 

Securing Access to Software Owner ‘oracle’

on Oracle Solaris in SAP Environments

 April 2014

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065

U.S.A.

Worldwide Inquiries:

Phone: +1.650.506.7000

Fax: +1.650.506.7200

oracle.com/solutions/SAP 

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This

document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in

law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any

liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This

document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our

prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and

are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are

trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113