Re: Oracle File Permission

Jim Forest <jlam_at_unocal.com> wrote:
>My UNIX system adm recently increase UNIX security level, and the
>system reports serveral red alert relating to file setting.
>Particularly, $ORACLE_HOME/bin/oracle and SQL*Net files.
>
>He ask why does file oracle set to 4755. I know Oracle requires this
>sticky bit, but I can find any documents, official documents, to satisfy
>his security obsession.
>
>Please help.
>
>

Hi,

Sorry, don't know any references to official documents, but you might be able to convince your sysadm with the following argument.

1. Lots of people need to be able to update the database files ( a database which only one person can update is not very useful )
2. But we don't want to make the database files rw-rw-rw- as anyone could just then scribble over them with cp or any other utility
3. Therefore, we protect them rw------- ( or maybe rw-rw---- ) where the owner is the "oracle" userid
4. Now, if anyone wants to update the data files, they must effectively "be" oracle, which means having a setuid $ORACLE_HOME/bin/oracle binary. ( It is this binary which creates the shadow processes which perform the database access on behalf of the front end tools, eg. forms, reports, sqlplus etc. )

So, these setuid binaries are a security feature, not a security fault - without them we'd have to have universal update access to our precious data. Its the lesser of the two evils.

HTH, Dave.

-- 

To reply by email, remove the "no-spam" bit from my email address.