topic Re: Change SAS Logs Access Level in Administration and Deployment

Change SAS Logs Access Level

japsas100 — Mon, 14 Dec 2020 17:19:36 GMT

Hi Team,

How can we implement chmod o+r ( read access to other) in SAS?

We need to provide the read access to followings logs. We can change permission of historical logs in Unix by chmod 0+r How we setup permission for new sas logs?

1)MetadataServer

2) ObjectSpawner

3) OLAPServer

4) TableServer

Re: Change SAS Logs Access Level

gwootton — Mon, 14 Dec 2020 17:53:39 GMT

Log permissions are based on the umask setting. If you default umask is too limited you can updated the servers' associated _usermods.sh file to change the umask. This is described in the SAS Note below.

Usage Note 38040: Setting umask and ulimit values for SAS® sessions on UNIX and Linux

You could also modify the logconfig.xml file being used by the server and specify the permissions in the appender definition (see FilePermissions parameter).

SAS Logging Facility: FileAppender

Re: Change SAS Logs Access Level

japsas100 — Tue, 15 Dec 2020 14:53:13 GMT

Thanks for the reply. Is there any way to provide the read permission to only one user which is belong to "OTHERS". He is not a member of any group.

I tried ACL but its now getfacl command is not working in AIX server. Please advise?

Re: Change SAS Logs Access Level

Kurt_Bremser — Tue, 15 Dec 2020 15:08:15 GMT

The commands in AIX are aclget, aclput and acledit.

I would create a template file, use acledit to set the access control list for this file once, and then use

aclget template|aclput <logfile>

in your code to transfer the ACL to your logfile.

Re: Change SAS Logs Access Level

japsas100 — Tue, 15 Dec 2020 15:21:18 GMT

@Kurt_Bremser Thanks, these commands are working in AIX.

Could you please share the small example how can we use to provide read access to one user(OTHERS) on the following logs?

/usr/opt/SAS/SAS94/Lev1/ObjectSpawner/
/usr/opt/SAS/SAS94//Lev1/SASApp/OLAPServer/

Re: Change SAS Logs Access Level

Kurt_Bremser — Tue, 15 Dec 2020 15:29:18 GMT

As described in the acledit documentation, you set the extended permissions to enabled and then add a stanza

permit r-x u:username

(x must be set on directories, so the user in question can cd there; don't set it on files)

Re: Change SAS Logs Access Level

japsas100 — Tue, 15 Dec 2020 17:33:52 GMT

Thanks @Kurt_Bremser

We have thousand of logs in these dir its very time consuming process to provide the read access to all these logs file.

I have tested one file and its working fine. Can we automate this task by writing any script? please advise.

Re: Change SAS Logs Access Level

Kurt_Bremser — Wed, 16 Dec 2020 15:10:04 GMT

You can make the files themselves world-readable (which is the case when using the default umask of 022), and control access by setting the ACL of the directory.

Edit: changed umask value to 022 (from 002)

Re: Change SAS Logs Access Level

Nigel_Pain — Wed, 16 Dec 2020 09:31:41 GMT

I'd be inclined to set the setuid bit (+s) for that person in the ACL for the parent directory. That way, their permissions will be applied to any files created in the directory.

Re: Change SAS Logs Access Level

japsas100 — Wed, 16 Dec 2020 15:06:45 GMT

@Nigel_Pain Thanks for the reply.

Can you please share the example to implement on AIX? Thanks

Re: Change SAS Logs Access Level

Nigel_Pain — Wed, 16 Dec 2020 15:52:47 GMT

Apologies, @japsas100, I don't know AIX. And I'm trawling the back of my memory here, as I haven't worked with a UNIX system for quite a while. But in the permissions set, as well as the RWX flags there's also the setuid/setgid ones, which can be applied to user or group permissions with "+s". Once it's applied it appears as an "s" instead of the "x".

Doing some real memory dredging, I think with the setfacl command for Solaris, you can also have default entries in ACLs, and I think they set the ACLs for any directory contents which are created. So you might get an equivalent with AIX. But I'll have to defer to other more knowledgeable, and more recently experienced folk to confirm what I'm saying, or not.

@Kurt_Bremser can you help here?

Re: Change SAS Logs Access Level

Kurt_Bremser — Wed, 16 Dec 2020 16:24:00 GMT

First, look at the permission of a log file as it is written now. I think it should be world-readable (-rw-r--r--). If that is the case, any blocking of "unwanted" readers happens on the directory. If you implement the ACL there and enable that special user (permit r-x u:username), you should be good.

acledit works by running aclget, edit the result with vi, and the using aclput to set the ACL from the edited file. So you need a little basic knowledge of the vi editor.

Re: Change SAS Logs Access Level

japsas100 — Wed, 16 Dec 2020 16:37:48 GMT

Thanks @Kurt_Bremser

As per business requirement, we can't provide the world-readable (-rw-r--r--) to all the logs. We use AIX acledit command to create a template at folder lever.

for example

Step 1) export EDITOR=/usr/bin/vi

Step 2) change the extended permissons as needed on Logs Dir (permit r-- u:tmpsas

Step 3) set the ACL recursive

aclget Logs | aclput -R Logs

With these steps we will provide the required read access to tmpsas user but how I can provide the same access to new files?

I can see new files are creating with default permission but I want to provide the same level access to new files as well. Do I need to create the shell script that will run on daily basis and provide the required access or is there any other simplest way?

Re: Change SAS Logs Access Level

Kurt_Bremser — Wed, 16 Dec 2020 16:57:27 GMT

Using NFS4 access control lists allows you to specify inheritance, but I am not familiar with those.

Do a google search for "aix nfs4 acl" to find out more.