BookmarkSubscribeRSS Feed
AndrewHowell
Moderator

My specific request is Linux SAS 9.4 (Grid, HPA, in-DB, etc) spread across 30+ servers, but the question is more generic.

While most SAS-related passwords may remain under the control (or at least the influence) of the SAS Platform Administrator, one that may not is the root password, where support policies (beyond the scope of "application administration") may mandate periodic updates of critical passwords.

Is there a "hit list" of what in a SAS platform requires updating if the O/S admin updates the root password?  For example:

  • Run the Deployment Manager to update passwords on each server (although I thought this mainly applies to "SAS" internal passwords - sasadm, sassrv, sastrust, etc.)
  • Update config files X, Y, & Z
  • Regenerate keys
  • etc.

My main concern are the LSF daemons, but may extend to other SAS services.

I'm reviewing System Admin Guide (bisag), Install & Config Guide (biig) & Security Admin Guide (bisecag) support docs, but looking specifically for impact of root password changes.

Thanks.

5 REPLIES 5
Kurt_Bremser
Super User

I'd think that, after using the root password during installation to set the uid bit on the necessary modules, the root user is not used any further.

All the SAS internal config files are owned by the installation user.

I'd be VERY surprised if SAS had done the utter stupidity of storing the root password (encrypted or not) anywhere within their own realm.

Mark_sas
SAS Employee

Yes.  In fact, SAS encourages you not to use the root account when installing.  As Kurt mentions, root permission is only needed to run the setuid scripts as part of the install, and even that can be done as sudo.  Changing the root password should have no negative repercussions on a SAS deployment.


Register today and join us virtually on June 16!
sasglobalforum.com | #SASGF

View now: on-demand content for SAS users

AndrewHowell
Moderator

Kurt, Mark - concur not to use root account when installing.

Mark - if services are started as sudo, then should be fine. However (in my case, anyway) in the HA config tab of the RTM client, there are services (such as the GridManagementService, ProcessManager) which are configured to start as root and contain the root user id and the (masked) password. Clearly this must be changed, as any other HA services which must be run as root.

That covers those services requiring root usage with the HA config tab of the RTM client, but what about other (if any) other "non-HA" services requiring root usage?

Kurt_Bremser
Super User

Putting any reference (masked or not) of the root passwort in a place where a non-root user can read it is a SERIOUS security breach and should be fixed since Dec 12, 1969 in case of UNIX.

So I hope that the file containing the root PW is readable only by root. If not, open a bug report of priority "critical" with the respective developers.

Mark_sas
SAS Employee

The two services you mention (GGridManagementService and ProcessManager) are from IBM Platform Computing, and do indeed need to be run as root.  Ordinarily they are started under root at boot time, which avoids the issue.  However, if you are managing these services with the RTM client, it requires you to supply the execution user and password.  As you alluded earlier, you should be able to use a non-root user in RTM who has sudo permissions to start the services as root if you've configured sudo for the services.


I've checked around and have found no SAS processes which require you to persist root credentials anywhere.


Register today and join us virtually on June 16!
sasglobalforum.com | #SASGF

View now: on-demand content for SAS users

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 2599 views
  • 1 like
  • 3 in conversation