Re: Permissions question
Date: Mon, 14 Jan 2008 09:11:54 -0800 (PST)
I presume you want the dba group to be the OSDBA group as part of this change. If that's the case, check ML 1012572.6--it's old, but it should still apply. Changing the OS group membership and ownership doesn't change the OSDBA group which is linked in to the oracle binary. The note will tell you how to change the group.
Also note that doing a "chgrp -R dba" will likely remove some of the SGID bits (possibly the SUID bits too) on many of the binaries. So, I'd probably do this:
- Shutdown everything
- do: "cd $ORACLE_HOME ; ls -lR > /tmp/oh-files-and-privs.txt ; cd $ORACLE_HOME/bin ; ls -l > /tmp/oh-bin-files-and-privs.txt"
- Make the unix changes to put oracle in the dba group. Logout, then login again just for good measure.
- to change the group, I'd do this: find $ORACLE_HOME -group <oldgroupname> | xargs chgrp dba
- follow the ML note 1012572.6
- Compare /tmp/oh-bin-files-and-privs.txt with "ls -l $ORACLE_HOME/bin" especially looking at the s and S bits from the original and making sure they're still the same.
- Start it all up again.
- Make sure that any logfiles that are written to outside of OH are still writable. They probably are as the "oracle" UID probably owns them, but just in case.
- Original Message ---- From: "Sweetser, Joe" <JSweetser_at_icat.com> To: oracle-l_at_freelists.org Sent: Monday, January 14, 2008 10:14:05 AM Subject: Permissions question
New server. RH 5. 10gR2.
Oracle account was set up a default group of oracle (not dba, though
dba group does exist). Foolhardy DBA (moi) did not check the group before installing the s/w and creating the database. I would like to "correct" this as quickly as possible and wonder what anyone thinks about the following idea:
- Shutdown everything
- Get the default group changed to dba in /etc/passwd. I know I can change the group when I am logged in, but want to make it "clean" for everyone going forward.
- Do a chgrp -R dba on ALL oracle-related files including ORACLE_HOME and all the datafiles
Confidentiality Note: This message contains information that may be confidential and/or privileged. If you are not the intended recipient, you should not use, copy, disclose, distribute or take any action based on this message. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Although ICAT Managers, LLC scans e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. Thank you.
http://www.freelists.org/webpage/oracle-l Received on Mon Jan 14 2008 - 11:11:54 CST