Path: news.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!sn-xit-02!sn-xit-06!sn-post-01!supernews.com!corp.supernews.com!not-for-mail
From: "Peter van Rijn"
Newsgroups: comp.databases.oracle.server
Subject: Re: Permission Problems revisited
Date: Thu, 12 Dec 2002 09:43:08 +0100
Organization: Posted via Supernews, http://www.supernews.com
Message-ID:
References:
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Complaints-To: abuse@supernews.com
Lines: 89
Xref: newsfeed1.easynews.com comp.databases.oracle.server:169491
X-Received-Date: Thu, 12 Dec 2002 01:42:56 MST (news.easynews.com)
Gerold,
As was stated in an earlier post the oracle executable needs it setuid and
setgid set.
You can accomplish this by:
$ chmod 6751 oracle
The effect is that if someone, anyone, who is permitted to run this
executable, will do this *as if* he would be the oracle owner himself. So
all permissions etc. apply as if the user is the oracle owner.
If you do not set the setuid a user will operate with his own permissions
set, and this will normally not be anough to open/read/write oracle
datafiles.
Hope this clears your fog a bit.
regards,
Peter
"Gerold Krommer" schreef in bericht
news:at7lcj$1rb$1@at-vie-newsmaster01.nextra.at...
> Thanks for all the answers. I'm still somewhat in the fog.
>
> The installation owner is 'oracle'. User A is a different user.
> And still I would like to know how the internals work. Do the oracle
server
> processes really do a setuid and setgid and run in the (security) context
of
> the Unix user that started the action (e.g SQLPLUS) ? That would mean,
that
> I can be correctly authenticated to
> Oracle and still not see data that I'm supposed to see (this situation).
> What about remote access with ODBC/Listener/Server Process ?
>
> BTW: User A is in the dba group and user B isn't.
>
> Thanks for enligthening me,
>
> /Gerold
>
> "Gerold Krommer" schrieb im Newsbeitrag
> news:at537n$5u1$1@at-vie-newsmaster01.nextra.at...
> > Sorry for the repeat. I have browsed google and found a few entries, but
> non
> > were really satisfying. My Oracle knowledge is (let's say) moderate.
> >
> > The problem:
> > Oracle 8.0.6, Solaris 2.6, but I m pretty sure I have seen this on older
> > versions and other platforms, too (e.g. Oracle 8.1.7 and HPUX 11i).
> >
> > We are able to access the database with e.g. SQLPLUS when logged on as
> Unix
> > user A, but not as User B.
> >
> > The error is:
> > QL*Plus: Release 8.0.6.0.0 - Production on Tue Dec 10 15:13:55 2002
> > (c) Copyright 1999 Oracle Corporation. All rights reserved.
> > ERROR:
> > ORA-00604: error occurred at recursive SQL level 1
> > ORA-01115: IO error reading block from file 1 (block # 1122)
> > ORA-01110: data file 1: '/fnsw/dev/1/oracle_sys0'
> > ORA-27041: unable to open file
> > SVR4 Error: 13: Permission denied
> > Additional information: 3
> >
> > First I have a problem understanding why the Unix user matters. Isn't
it,
> > that only the Oracle processes access the data files ? So I only need to
> > authenticate to Oracle by logging on.
> >
> > Second, my research on google has shown that certain protections on
> certain
> > files must be set, but this information was really dispersed over
several
> > notes entries. Is there a place where there is a concise description on
> what
> > must be set to what (e.g.SUID bit, etc.)
> >
> > Thanks very much,
> >
> > /Gerold (g.krommer@doremove.fns.co.at)
> >
> >
>
>