OpenSolaris

Printable Version Enter a New Search
Bug ID 6506218
Synopsis Secondary Groups are not set with Sun Cluster SAP WebAS Agents
State 10-Fix Delivered (Fix available in build)
Category:Subcategory suncluster:ha-sapwebas
Keywords
Responsible Engineer Hemachandran Namachivayam
Reported Against
Duplicate Of
Introduced In
Commit to Fix 3.2_patch_02
Fixed In 3.2_patch_02
Release Fixed 3.2_patch(3.2_patch_02)
Related Bugs 6516710
Submit Date 19-December-2006
Last Update Date 20-March-2007
Description 
It is my understanding that the SUNW.sapwebas agent issue a setgid before 
issing the "startsap" command. This operation will does not enable secondary 
groups.

The older SAP-HA agent SUNW.sap_ci_v2 issue a "su -" before executing the 
"startsap" command thereby enabling secondary groups.

When configuring SAP it is a explicit requirement the the SAP user <sid>adm
is defined as follows:

Primary group = sapsys
Secondary groups = dba,oper,sapinst

However, with our Sun Cluster implementation of WebAS secondary groups can 
never be accessed.

This is a big problem because SAP started outside of Sun Cluster does not 
behave the same as SAP started inside Sun Cluster because of a mis-match of 
file permissions at a group level.

The workaround is to open the permissions for user "other". From a security
perspective this is not acceptable.

Validation of Problem:

The below example is for the SAP user "jscadm" (<sid>adm).

==================================
USER/GROUP definitions for SID JSC
==================================

=======================================================================
passwd file:
=======================================================================
jscadm:x:3200:300:SAP System Administrator:/sapmnt/JSC/home:/bin/csh
orajsc:x:3201:301:SAP Database Administrator:/oracle/JSC:/bin/csh

=======================================================================
group file:
=======================================================================
sapsys::300:
dba::301:jscadm,root
oper::302:orajsc,jscadm
sapinst::303:orajsc,jscadm

=======================================================================
user jscadm groups
=======================================================================
Primary group = sapsys
Secondary groups = dba,oper,sapinst

=======================================================================
user orajsc groups
=======================================================================
Primary group = dba
Secondary groups = oper,sapinst

=========================================================================
From a cluster system:
=========================================================================

jscadm 29595 29582   0   Sep 06 ?           0:06 dw.sapJSC_DVEBMGS00
pf=/usr/sap/JSC/SYS/profile/JSC_DVEBMGS00_jsc-D00-prv

# pcred 29595
29595:  e/r/suid=3200  e/r/sgid=300

=========================================================================
From an external application server not under cluster control.
=========================================================================

jscadm  3250  3237   0   Sep 06 ?           1:48 dw.sapJSC_D20
pf=/sapmnt/JSC/profile/JSC_D20_sapnode5p

# pcred 3250
3250:   e/r/suid=3200  e/r/sgid=300
      groups: 300 302 303

Note: Only the system NOT under cluster control shows secondary groups.
Work Around 
N/A
Comments 
N/A