Path: news.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!sn-xit-02!sn-xit-06!sn-post-01!supernews.com!corp.supernews.com!not-for-mail From: "Peter van Rijn" Newsgroups: comp.databases.oracle.server Subject: Re: Permission Problems revisited Date: Thu, 12 Dec 2002 09:43:08 +0100 Organization: Posted via Supernews, http://www.supernews.com Message-ID: References: X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Complaints-To: abuse@supernews.com Lines: 89 Xref: newsfeed1.easynews.com comp.databases.oracle.server:169491 X-Received-Date: Thu, 12 Dec 2002 01:42:56 MST (news.easynews.com) Gerold, As was stated in an earlier post the oracle executable needs it setuid and setgid set. You can accomplish this by: $ chmod 6751 oracle The effect is that if someone, anyone, who is permitted to run this executable, will do this *as if* he would be the oracle owner himself. So all permissions etc. apply as if the user is the oracle owner. If you do not set the setuid a user will operate with his own permissions set, and this will normally not be anough to open/read/write oracle datafiles. Hope this clears your fog a bit. regards, Peter "Gerold Krommer" schreef in bericht news:at7lcj$1rb$1@at-vie-newsmaster01.nextra.at... > Thanks for all the answers. I'm still somewhat in the fog. > > The installation owner is 'oracle'. User A is a different user. > And still I would like to know how the internals work. Do the oracle server > processes really do a setuid and setgid and run in the (security) context of > the Unix user that started the action (e.g SQLPLUS) ? That would mean, that > I can be correctly authenticated to > Oracle and still not see data that I'm supposed to see (this situation). > What about remote access with ODBC/Listener/Server Process ? > > BTW: User A is in the dba group and user B isn't. > > Thanks for enligthening me, > > /Gerold > > "Gerold Krommer" schrieb im Newsbeitrag > news:at537n$5u1$1@at-vie-newsmaster01.nextra.at... > > Sorry for the repeat. I have browsed google and found a few entries, but > non > > were really satisfying. My Oracle knowledge is (let's say) moderate. > > > > The problem: > > Oracle 8.0.6, Solaris 2.6, but I m pretty sure I have seen this on older > > versions and other platforms, too (e.g. Oracle 8.1.7 and HPUX 11i). > > > > We are able to access the database with e.g. SQLPLUS when logged on as > Unix > > user A, but not as User B. > > > > The error is: > > QL*Plus: Release 8.0.6.0.0 - Production on Tue Dec 10 15:13:55 2002 > > (c) Copyright 1999 Oracle Corporation. All rights reserved. > > ERROR: > > ORA-00604: error occurred at recursive SQL level 1 > > ORA-01115: IO error reading block from file 1 (block # 1122) > > ORA-01110: data file 1: '/fnsw/dev/1/oracle_sys0' > > ORA-27041: unable to open file > > SVR4 Error: 13: Permission denied > > Additional information: 3 > > > > First I have a problem understanding why the Unix user matters. Isn't it, > > that only the Oracle processes access the data files ? So I only need to > > authenticate to Oracle by logging on. > > > > Second, my research on google has shown that certain protections on > certain > > files must be set, but this information was really dispersed over several > > notes entries. Is there a place where there is a concise description on > what > > must be set to what (e.g.SUID bit, etc.) > > > > Thanks very much, > > > > /Gerold (g.krommer@doremove.fns.co.at) > > > > > >