Skip to Content

ASE 15.7 database dump file permission mask change between SP100 SP136 SP139

Dear Expert,

We found ASE 15.7 Linux edition got some dump file permission mask issue.

prior to ASE 15.7 SP100, dump file permission mask is 644,

after applied ASE 15.7 SP100, dump file permission mask is 640,

after applied SP136, dump file permission mask is changed back to 644,

after applied SP139, dump file permission mask is changed to 640 again.

I searched SAP knowledge base and found following blog:

Found a helpful information ( https://blogs.sap.com/2015/02/25/how-to-make-the-permission-settings-on-ases-errorlog-less-restrictive/ ),

Prior to ASE 15.7 SP100, ASE’s errorlog had default permission settings of rw-r–r– (644).
Starting with ASE 15.7 SP100, SAP has applied a stricter security standard of rw-r—– (640).

My question is these kind of system change , customer should be notified by release note or installation guide. However, I cannot find stricter permission change information in SAP website. Could anybody advise where I can find those information ?

Thanks in advance.

Any feedback will be very appreciate.

Best Regards,

Robert Chu

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Mar 14 at 04:09 PM

    Hi Robert,

    This change wasn't documented, so there isn't anywhere to find that information (except, now, here on SCN thanks to your question).
    SAP has been tightening up security throughout the 15.7 lifecycle, including on permissions on the ASE errorlog (noted in the blog you reference), the config file, output files from isql and bcp utilities. Also related is the introduction of the "hosts.allow" file to limit access to the backupserver.

    I have put in a document enhancement request to document the default permissions of the dump archive files in the Commands Reference guide under the DUMP DATABASE and DUMP TRAN commands. Note that on UNIX systems, the "Sybase" (account used to boot ASE) user's UMASK can be used to make the permissions more restrictive than the default 640, but not less restrictive.

    You might want to make a suggestion on SAP's Customer Influence site that all changes that would affect existing systems be documented in the Whats New document and/or Release Bulletins, and cite this as an example of an undocumented change that caused you trouble.

    https://influence.sap.com/sap/ino/#/campaign/882. I see that a request for an override on the dump file permissions was recently added that looks like it was based your post; I encourage anyone interested in such an option visit the Customer Influence site and vote for this change (and any of the other changes you find listed there that you think are good ideas.)

    Cheers,
    -bret
    Add comment
    10|10000 characters needed characters exceeded

  • Mar 19 at 09:29 AM

    Hi Bret,

    Thanks a lot for your clarification and advice.

    I might consider to use SAP customer influence site to input my suggestion.

    Thank you again for your support.

    Have a nice day.

    Best Regards,

    Robert

    Add comment
    10|10000 characters needed characters exceeded