Question:
How can I find out transactions or programs that allow a user to exit SAP and obtain an operating system prompt?
Thanks in advance.
Regards.
Answer:
You cannot get a system prompt but you can issue system level commands. I beleive it is SM69, whic you can control.
Answer:
In Sm69 you can create OS commands. In SM49 you can execute them. There have been many debates as to whether these are features or backdoors.
The limitation at SAP transaction level is that one command line is possible.
As the downward compatability of the system is achieved in access, this limitation is relaxed.
Ned
Answer:
How can I find out transactions or programs that allow a user to exit SAP and obtain an operating system prompt?
You could do a "Where used"-search for function modules SXPG_CALL_SYSTEM and SXPG_COMMAND_EXECUTE. If you need more information, search service.sap.com for SXPG* and sapxpg.
The standard way to issue os-level commands is via "logical commands" using transactions SM69, SM49 as mentioned by John and Ned, so you should first check for auth-object S_LOG_COM. Keep in mind that users can also issue logical commands via SM36. In connection with S_BTCH_NAM, BTCUNAME=* (which is never a good idea) they don't need S_LOG_COM if they know the user name of a super user.
RZ20 also offers ways to execute external commands.
More important, however, is to secure the sapxpg-program on your servers.
Note 686765:
Symptom
You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in a SAP System ABC:
- create external commands
- execute external commands
- create RFC destinations
In this case, this user can also execute external commands on other hosts:
a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.
This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.
Note that it is trivial to set up an own SAP system with SID ABC.
Have fun,
Marc