Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: file permission problem - 10g client on solaris

Re: file permission problem - 10g client on solaris

From: sybrandb <>
Date: Mon, 23 Jul 2007 01:24:43 -0700
Message-ID: <>

On Jul 23, 2:09 am, DA Morgan <> wrote:
> wrote:
> > On Sun, 22 Jul 2007 07:58:35 -0700, DA Morgan <>
> > wrote:
> >> There is no reason anyone anyone other than the unix user oracle should
> >> be directly accessing executables on the server unless the object is to
> >> compromise system security and render any reasonable interpretation of
> >> auditing moot.
> > Actually it is just the opposite. Forcing Unix users to use oracle or
> > to su to oracle poses a security risk. We had an issue once where
> > 'someone' deleted the passwordfile and the init.ora of several
> > databases. Only the unix user oracle could access the database.
> > *Everyone* knew the password.
> My point exactly. There are only two people who should ever be able to
> access an Oracle server ... the operating system SA and the DBA. Thus
> no one else needs access to anything on the machine except via SQL*NET
> or a secure and tested interface.
> If an organization is sloppy with respect to who has the userid/pwd
> for either the root or oracle then they deserve what they get. Changing
> permission of operating system files will not save anyone from flagrant
> stupidity: Firing those that share passwords will.
> --
> Daniel A. Morgan
> University of Washington
> (replace x with u to respond)
> Puget Sound Oracle Users

You are still not getting it. Is it my English? What I'm trying to explain is there are situations where multiple administrators are unavoidable (one reason for that is that no one works 7 x 24). Using the oracle account for normal administration is dangerous and even Oracle warns against this in the documentation. The obvious reason for this is the oracle account is, *without* changing any permission, capable of deleting any oracle file. This is why you shouldn't use oracle to administer the database, and you definitely shouldn't allow telnet or ssh access to oracle. Preferably you shouldn't allow everyone to su to oracle. Yet in my situation this is unavoidable. Because if I don't allow this I will need to maintain the system 365 (or 366) times 7 times 24 hours per year.
As SYSDBA operations are audited, it is actually advantageous to have multiple accounts: it allows you to put blame.

Sybrand Bakker
Senior Oracle DBA
Received on Mon Jul 23 2007 - 03:24:43 CDT

Original text of this message