Re: Oracle File Permission
Date: 1997/09/11
Message-ID: <5v8hp3$fs2_at_dns.camcnty.gov.uk>#1/1
Jim Forest <jlam_at_unocal.com> wrote:
>My UNIX system adm recently increase UNIX security level, and the
>system reports serveral red alert relating to file setting.
>Particularly, $ORACLE_HOME/bin/oracle and SQL*Net files.
>
>He ask why does file oracle set to 4755. I know Oracle requires this
>sticky bit, but I can find any documents, official documents, to satisfy
>his security obsession.
>
>Please help.
>
>
Hi,
Sorry, don't know any references to official documents, but you might be able to convince your sysadm with the following argument.
- Lots of people need to be able to update the database files ( a database which only one person can update is not very useful )
- But we don't want to make the database files rw-rw-rw- as anyone could just then scribble over them with cp or any other utility
- Therefore, we protect them rw------- ( or maybe rw-rw---- ) where the owner is the "oracle" userid
- Now, if anyone wants to update the data files, they must effectively "be" oracle, which means having a setuid $ORACLE_HOME/bin/oracle binary. ( It is this binary which creates the shadow processes which perform the database access on behalf of the front end tools, eg. forms, reports, sqlplus etc. )
So, these setuid binaries are a security feature, not a security fault - without them we'd have to have universal update access to our precious data. Its the lesser of the two evils.
HTH, Dave.
-- To reply by email, remove the "no-spam" bit from my email address.Received on Thu Sep 11 1997 - 00:00:00 CEST