Hi,
strongly spoken, as of release 6.20 the installer does not need root himself, but an install-programm that is run as root.
The installation software is client-server, so usually, the installation can be set up in a wrapper script of some 5 to 10 lines to set required environments and then call "sapinst". If you do not set a DISPLAY variable the tool will run in install-server mode and wait for an install-gui connect which can be done without even having os-acces to the unix-box i.e. from a windows PC. (well, the sap-admins need os-access for having a better life, but they do not really need root).
No need to give root-account, -password or -shell to the SAP-Installer.
Tell them to set up the wrapper script, which will usually contain some line like:
DIR_LIBRARY=
JAVA_HOME=
SAPINST_INSTDIR=
...
....../sapinst
Review it, revoke write access from it and add to unset DISPLAY variable. Then run the script yourself. If all requirements have been fullfilled and the installer does not do any mistakes, you will need to call it only twice (for Central Instance and DB-Instance) on the main server and may be one time on additional application servers.
Let them handle the rest through the gui. At least you are now sure that only the things required for the installation are done by the installation-software, not what the installer thinks needs to be done in addition.
An other thing that often requires root permissions ist the script saproot.sh, which sets some s-bits for db-admin programs and the performance collector.
This is a single shellscript.
Do a copy of /sapmnt/???/exe/saproot.sh to a safe and writeprotected location of your choice, review the script install "sudo" and give acces to the copy via sudo.
This script rarely changes, so if the SAP-Admin needs to install a patch for the db-admin tools, he can remove them (he has write access to /sapmnt/???/exe (!!!), install the new executables and do a sudo of the saproot.sh-copy to regain the s-bits.
In addition, if you are unlucky with the suid-bit for root of the saposcol program, you might be interested to review oss-note 726094 which describes to install saposcol without beinig run as root at least for the operating systems HP-UX, SUN, AIX, OS390.
... :-) It is (!) possible to keep root out of sap-admins hands (allthough I have to say, I myself allways like to have it for being more flexible).
Happy SAP-securing
Volker
