SAS® modules that must have the setuid bit set to root in the UNIX environment


Three files that are located in the !SASROOT/utilities/bin directory must be setuid root.

sasauth:
The sasauth utility is used by SAS®9 servers to perform authentication of connecting clients. The default version of this authentication is against the host operating system. The method of authentication is to hash the supplied user password using the UNIX crypt() function (or crypt64() as appropriate) and compare the resulting hash with what is stored for that user in the password file. Most sites deploy a shadow password file setup. In order to read the password entries containing the hashed password from the shadow password file, the calling userid must be root.

If the sasauth file is not setuid root, the following error occurs:

  Unable to launch authentication utility.

elssrv:
The object spawner uses an suid root utility called elssrv to launch processes under the identity of the requesting client (in the case of a standard workspace server) or a multi-user credential (in the case of a load-balanced stored process server and a pooled workspace server). The userid must be root in order to switch identity to another user. In the standard workspace server case, the client provides host credentials for the user requesting the SAS process (for example, a query or an ETL process) to the spawner. The spawner host authenticates the client and receives confirmation of valid credentials from sasauth. In addition, sasauth returns the UNIX uid and list of groups. The elssrv utility launches the workspace server under this identity so that the process runs with the host authority of the requesting client.

In the case of a Stored Process Server or a pooled Workspace Server, the spawner uses elssrv to launch processes under a chosen credential stored in metadata and associated with the server. For a Stored Process Server, clients are authenticated by the host before being allowed to run a SAS process on one of these servers. The pooled Workspace Servers do not require host authentication because processes that run on these servers are in a much more controlled environment. The Stored Process Server host authenticates the connecting clients using sasauth and obtains the clients uid and groups.

sasperm:
The sasperm utility performs host authorization checks against files on disk in the Share Server and Stored Process Server. This process uses a combination of the stat() system call and the access() system call by default. The utility must switch identity to the requesting client to perform these calls as the user requesting the access, so must be run as root.


In SAS® 9.2 and later, you can run the !SASROOT/utilities/bin/setuid.sh script as root to set the setuid bit for these three files.

After you have run the setuid.sh script, you must restart your SAS servers:

   SAS-configuration-directory/Lev1/sas.servers restart

In SAS® Viya® 3.3, you can run the following commands as root to set the setuid bit for these three files:

cd /opt/sas/viya/home/SASFoundation/utilities/bin
sudo chown root:root sasauth sasperm elssrv caslaunch
sudo chmod 4755 sasauth sasperm elssrv caslaunch

In SAS® Viya® 3.4 and SAS® Viya® 3.5, you can run the following commands as root to set the setuid bit for these three files:

cd /opt/sas/spre/home/SASFoundation/utilities/bin
sudo chown root:root sasauth sasperm elssrv caslaunch
sudo chmod 4755 sasauth sasperm elssrv caslaunch

After you update the files, you need to restart the spawner and runlauncher services for the change to be picked up:

sudo systemctl restart sas-viya-runlauncher-default
sudo systemctl restart sas-viya-spawner-default