Usage Note 15231: Unix SAS modules that need to have the setuid bit set
There are three files located under !SASROOT/utilities/bin that
are required to be setuid root. The following is an explanation
of why the files need to be setuid root.
sasauth:
The sasauth program is used by SAS 9 servers to perform authentication
of connecting clients. The default version of this authentication
is against the host operating system. The method of authentication
is to hash the supplied user password using the UNIX crypt() function
(or crypt64() as appropriate) and compare the resulting hash with what
is stored for that user in the password file. Most sites deploy a
shadow password file set up. In order to read the password entries
containing the hashed password from the shadow password file, the
caller must be root.
elssrv:
The object spawner uses a suid root program called elssrv to launch
processes under the identity of the requesting client (in the case of a
standard workspace server) or a multi-user credential (in the case of a
load-balanced stored process server and a pooled workspace server).
One must be root to switch identity to another user. In the standard
workspace server case, the client provides host credentials for the
user requesting the sas job (a query, an etl job, etc.) to the spawner.
The spawner host authenticates the client and receives confirmation
of valid credentials from "sasauth". In addition, sasauth returns the
Unix uid and list of groups. The suid root program launches the
workspace server under this identity so that the process runs with the
host authority of the requesting client.
In the stored process server and pooled workspace server cases, the
spawner uses elssrv to launch processes under a chosen credential stored
in metadata and associated with the server. In the case of the stored
process server, clients are authenticated by the host before being
allowed to run a SAS job on one of these servers. The pooled workspace
servers do not require host authentication since processes run on these
servers are in a much more controlled environment. The stored process
server host authenticates the connectiing clients using sasauth and
obtains the clients uid and groups.
sasperm:
The sasperm program performs host authorization checks against files on
disk in the Share server and stored process server. These are optional
for these servers, and this option is *experimental* in the stored
process server in this release. This process uses a combination of the
stat() system call and the access() system call by default.
The program must switch identity to the requesting client to perform
these calls as the user requesting the access, so must be run as root.
Operating System and Release Information
| Product Family | Product | System | Reported Release | Fixed Release* |
| SAS System | Base SAS | 64-bit Enabled Solaris | 9.1 TS1M3 | |
| HP-UX IPF | 9.1 TS1M3 | |
| Linux | 9.1 TS1M3 | |
| Linux on Itanium | 9.1 TS1M3 SP1 | |
| 64-bit Enabled AIX | 9.1 TS1M3 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
| Date Modified: | 2005-07-25 14:07:05 |
| Date Created: | 2005-05-17 17:12:55 |
