topic Re: Break Security in Application Development and Automation Discussions

Break Security

Former Member — Tue, 22 Apr 2008 09:15:46 GMT

Guys, last nigth I was thinking, if a user is not allow to execute for example transaction sm50 and he execute /h before of perform sm50 , he can change the values of variables in debugging process ? and worst access to transaction ?

Re: Break Security

Former Member — Tue, 22 Apr 2008 09:27:11 GMT

Hi Dear,

Its a very good question....

But SAP is much more aware of it. It can be controlled by authorization. In our production system we cannot change the values in debug mode.

<REMOVED BY MODERATOR>

Edited by: Alvaro Tejada Galindo on Apr 22, 2008 12:33 PM

Re: Break Security

Former Member — Tue, 22 Apr 2008 09:30:45 GMT

Hi,

It would be possible if he bypass all the authority check statement.

But to do this he must have of course debug right and also be able to change values in debug mode.

Hope I have answered your qestion

Regards

Re: Break Security

Former Member — Tue, 22 Apr 2008 09:38:24 GMT

Hi,

I sounds a nice theory, but have you tried it?

I have developer only access in a dev system, no basis transactions. So if I run SM12 I get message "You are not authorized to use transaction SM12".

If I type /h, then run transaction SM12 I get "You are not authorized to use transaction SM12", no debugger. The check for S_TCODE is not explicity coded, I think the check is at system level, so it can't be bypassed in debug.

Regards,

Nick

Re: Break Security

Former Member — Tue, 22 Apr 2008 11:48:28 GMT

All depends the level of authorizations you have

Also don't forget all transactions are linked to an ABAP program and a ABAP source code can be debugged.

Regards.

Re: Break Security

Former Member — Tue, 22 Apr 2008 11:53:54 GMT

Our security is set in Production that we are not allowed to alter values in DEBUG mode.

Re: Break Security

Former Member — Tue, 22 Apr 2008 13:57:18 GMT

Hi Jürgen,

I still don't see how you can debug around the authorisation check on object S_TCODE. Further to my earlier test where I used a system where I had limited access, I repeated it on a system where I have full access, with the following results.

Enter /h

Run transaction sm12

In debug set a break-point on statement AUTHORITY-CHECK and execute

The dubugger does not stop, the transaction starts.

The auth object S_TCODE is checked for the start of every transaction. But, even with full authorisation the ABAP debugger will not stop on the S_TCODE check.

Regards,

Nick

Re: Break Security

ThomasZloch — Tue, 22 Apr 2008 14:36:43 GMT

System debugging has to be switched on, then one can actually see the S_TCODE authority check done in function AUTH_CHECK_TCODE. (I'm on 6.20, might be different in subsequent releases).

So it's always recommended to not allow anybody the changing of field values in debugging, at least in productive systems.

Cheers

Thomas

Re: Break Security

Former Member — Tue, 22 Apr 2008 15:10:33 GMT

System dubugging! That was it, I knew there was something else that needed to be set.

Nick