Restricting Access to Database Resources
(UNIX/Linux up to Database Version 7.4.03) 
A new authorization concept came into effect as of database version 7.5. See Concepts of the Database System, Special Operating System Users and Groups (UNIX/Linux) The measures described in the following are relevant only for older database versions.
Up to and including database version 7.4.03, access rights in SAP systems on UNIX/Linux are automatically configured during installation as follows.
Access Rights in SAP Systems up to and Including Database Version 7.4.03: Directories
Directory |
Privilege |
Owner |
Group |
Notes |
/sapdb/<SID>/sapdata |
750 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/saplog |
750 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/sapsys |
750 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/dbsys |
750 |
sqd<sid> |
sapsys |
No longer applies as of 7.4 |
/sapdb/<SID>/db |
750 |
sqd<sid> |
sapsys |
If a database version 7.5 or higher is installed on a computer together with an older version, change the access privileges for the directory /sapdb/<SID>/db of the older database version to 755 to ensure that the database processes of the newer versions have unrestricted access to it. |
Access Rights in SAP Systems up to and Including Database Version 7.4.03: Files
File |
Privilege |
Owner |
Group |
Notes |
/sapdb/<SID>/sapdata/* |
660 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/saplog/* |
660 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/sapsys/* |
660 |
sqd<sid> |
sapsys |
|
/sapdb/<SID>/dbsys/sys |
660 |
sqd<sid> |
sapsys |
No longer applies as of 7.4 |
Access Rights in SAP Systems up to and Including Database Version 7.4.03: Raw Devices
Raw device |
Privilege |
Owner |
Group |
Notes |
Raw devices for the database system |
660 |
sqd<sid> |
|
Link to the raw devices used as data volumes or log volumes |
Procedure
To restrict access rights, proceed as follows:
...
1. Save the original settings. To do so, enter the following commands:
cd /usr/sap
ls -lR > sap_perm.txt
cd /sapmnt
ls -lR > sap_sw.txt
cd /sapdb/<SID>
ls -lR > sapdb_perm.txt
2. Grant the desired access privileges for files and directories with the chmod command:
chmod <access_privileges_in_octal_format> <file_or_directory>
chmod 750 /sapdb/<SID>/sap*
chmod 750 /sapdb/<SID>/sapdata/*
chmod 750 /sapdb/<SID>/saplog/*
...
Do not use chmod recursively. It is very easy to make unintended changes to authorizations when doing so.