RE: "oracle" lockdown

From: Powell, Mark <>
Date: Wed, 26 Feb 2014 20:43:50 +0000
Message-ID: <>

I do not think items and #1 and #3 are an issue since I have worked on systems like that, but I am not sure about item #2, "no shell." What exactly does that mean?

-----Original Message-----

From: [] On Behalf Of Herring, David Sent: Wednesday, February 26, 2014 3:20 PM To:
Subject: "oracle" lockdown


Our team is about to be placed in a more challenging situation where the OS account "oracle" will be locked down in the following ways:

  1. No direct logons.
  2. No shell can be created by "oracle".
  3. Execution as "oracle" can be done by DBA accounts using: "sudo -u oracle <cmd>".

I'm tasked with coming up with a test plan for each environment converted over to this configuration. While I can come up with the various commands we typically use off a consolidation of ~/.bash_history on all servers, I'm concerned about the environment when running "sudo - u oracle". I'm told that there's no guarantee on what env variables will be set so if I expect any particular values I'll have to put it all in a script, since we can't run multiple commands on one line (like "sudo -u oracle export ORACLE_SID=dave; export ORAENV_ASK=NO; .oraenv; ...").

My first thought is we'll need some sort of wrapper script, with arguments for the ORACLE_SID and command line to run. Has anyone run into this type of situation and if so how did you handle it? There's still no word on how we're going to manage interactive installs. I feel like I'm on the Indians in the movie "Major League".

Dave Herring


-- Received on Wed Feb 26 2014 - 21:43:50 CET

Original text of this message