topic Changing root password in Administration and Deployment

Changing root password

AndrewHowell — Wed, 06 May 2015 05:19:10 GMT

My specific request is Linux SAS 9.4 (Grid, HPA, in-DB, etc) spread across 30+ servers, but the question is more generic.

While most SAS-related passwords may remain under the control (or at least the influence) of the SAS Platform Administrator, one that may not is the root password, where support policies (beyond the scope of "application administration") may mandate periodic updates of critical passwords.

Is there a "hit list" of what in a SAS platform requires updating if the O/S admin updates the root password? For example:

Run the Deployment Manager to update passwords on each server (although I thought this mainly applies to "SAS" internal passwords - sasadm, sassrv, sastrust, etc.)
Update config files X, Y, & Z
Regenerate keys
etc.

My main concern are the LSF daemons, but may extend to other SAS services.

I'm reviewing System Admin Guide (bisag), Install & Config Guide (biig) & Security Admin Guide (bisecag) support docs, but looking specifically for impact of root password changes.

Thanks.

Re: Changing root password

Kurt_Bremser — Wed, 06 May 2015 08:49:12 GMT

I'd think that, after using the root password during installation to set the uid bit on the necessary modules, the root user is not used any further.

All the SAS internal config files are owned by the installation user.

I'd be VERY surprised if SAS had done the utter stupidity of storing the root password (encrypted or not) anywhere within their own realm.

Re: Changing root password

Mark_sas — Wed, 06 May 2015 12:40:43 GMT

Yes. In fact, SAS encourages you not to use the root account when installing. As Kurt mentions, root permission is only needed to run the setuid scripts as part of the install, and even that can be done as sudo. Changing the root password should have no negative repercussions on a SAS deployment.

Re: Changing root password

AndrewHowell — Wed, 06 May 2015 23:54:00 GMT

Kurt, Mark - concur not to use root account when installing.

Mark - if services are started as sudo, then should be fine. However (in my case, anyway) in the HA config tab of the RTM client, there are services (such as the GridManagementService, ProcessManager) which are configured to start as root and contain the root user id and the (masked) password. Clearly this must be changed, as any other HA services which must be run as root.

That covers those services requiring root usage with the HA config tab of the RTM client, but what about other (if any) other "non-HA" services requiring root usage?

Re: Changing root password

Kurt_Bremser — Thu, 07 May 2015 05:46:39 GMT

Putting any reference (masked or not) of the root passwort in a place where a non-root user can read it is a SERIOUS security breach and should be fixed since Dec 12, 1969 in case of UNIX.

So I hope that the file containing the root PW is readable only by root. If not, open a bug report of priority "critical" with the respective developers.

Re: Changing root password

Mark_sas — Thu, 07 May 2015 21:37:01 GMT

The two services you mention (GGridManagementService and ProcessManager) are from IBM Platform Computing, and do indeed need to be run as root. Ordinarily they are started under root at boot time, which avoids the issue. However, if you are managing these services with the RTM client, it requires you to supply the execution user and password. As you alluded earlier, you should be able to use a non-root user in RTM who has sudo permissions to start the services as root if you've configured sudo for the services.

I've checked around and have found no SAS processes which require you to persist root credentials anywhere.