Re: "oracle" lockdown

From: Andy Wattenhofer <watt0012_at_umn.edu>
Date: Wed, 26 Feb 2014 16:13:02 -0600
Message-ID: <CAFU3ey5FgaKE6BCudOD3QJZyJkqQ=qcgmSGTnfaJqZA2dTtLRQ_at_mail.gmail.com>

It appears to me that the changes you are facing are to enforce role separation, for security purposes. That is the purpose of having the two dba and oinstall groups created as part of the Oracle install process. It permits separation between the software owner (oinstall) and the database administrator (dba).

If your login id is a member of the dba group, you should be able to run everything under your own id. In theory, you could get by without sudo except for patching and install operations, which require oinstall group. The oracle user id is a member of oinstall.

You can source the .bash_profile from the oracle user in your own .bash_profile:

. /home/oracle/.bash_profile

(you'll probably have to adjust some file permissions before that will work).

Andy

On Wed, Feb 26, 2014 at 2:19 PM, Herring, David <HerringD_at_dnb.com> wrote:

> Folks,
>
> Our team is about to be placed in a more challenging situation where the
> OS account "oracle" will be locked down in the following ways:
>
> 1) No direct logons.
> 2) No shell can be created by "oracle".
> 3) Execution as "oracle" can be done by DBA accounts using: "sudo -u
> oracle <cmd>".
>
> I'm tasked with coming up with a test plan for each environment converted
> over to this configuration. While I can come up with the various commands
> we typically use off a consolidation of ~/.bash_history on all servers, I'm
> concerned about the environment when running "sudo - u oracle". I'm told
> that there's no guarantee on what env variables will be set so if I expect
> any particular values I'll have to put it all in a script, since we can't
> run multiple commands on one line (like "sudo -u oracle export
> ORACLE_SID=dave; export ORAENV_ASK=NO; .oraenv; ...").
>
> My first thought is we'll need some sort of wrapper script, with arguments
> for the ORACLE_SID and command line to run. Has anyone run into this type
> of situation and if so how did you handle it? There's still no word on how
> we're going to manage interactive installs. I feel like I'm on the Indians
> in the movie "Major League".
>
> Dave Herring
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Andy Wattenhofer
Manager, Database Administration
University of Minnesota

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Feb 26 2014 - 23:13:02 CET

This message: [ Message body ]
Next message: Ric Van Dyke: "RE: DBA_HIST_ACTIVE_SESS_HISTORY library cache pin waits"
Previous message: McPeak, Matt: "RE: DBA_HIST_ACTIVE_SESS_HISTORY library cache pin waits"
Maybe in reply to: Andrew Kerber: "Re: "oracle" lockdown"
Next in thread: Herring, David: "RE: "oracle" lockdown"
Reply: Herring, David: "RE: "oracle" lockdown"
Reply: Hans Forbrich: "Re: "oracle" lockdown"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message