This discussion is archived
7 Replies Latest reply: Jan 5, 2013 1:43 PM by Dude! RSS

Problemm with dba group vs oinstall group

955912 Explorer
Currently Being Moderated
Hi to all ;


This is related to oracle as well as some os related security problems. please clarify it.
I tried but couldn't solve it All information's given here ..

Testing from user 'A'

+# useradd -m -g oinstall a+

+# passwd a+

Changing password for user a.

New UNIX password:

BAD PASSWORD: its WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

su - a

+[a@testorcl ~]$ export+

ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1

+$ export PATH=$PATH:$ORACLE_HOME/bin+

+$ export ORACLE_SID=testdb+

+$ sqlplus /nolog+

SQL*Plus: Release 10.2.0.1.0 - Production on Thu Jan 3 01:33:49 2013
Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Testing From user 'b' :


+# useradd -m -g dba b+

+# passwd b+

Changing password for user b.

New UNIX password:

BAD PASSWORD: its WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

su - b

Password:

+$ export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1+

+$ export PATH=$PATH:$ORACLE_HOME/bin+

+$ export ORACLE_SID=testdb+

+$ sqlplus /nolog+

sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

*>> From oracle user finding libsqlplus.so >>*

*[oracle@testorcl ~]$*
*$ find / -name libsqlplus\* -ls 2>/dev/null*

+1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a+
+1378193 1028 -rw-r----- 1 oracle oinstall 1047293 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.so+

SQLPLUS LOCATION with associated group

+$ ls -l $ORACLE_HOME+
drwxr-x--- 9 oracle oinstall 4096 Dec 24 03:28 sqlplus

Please Note :

USER 'a' belongs oinstall group.
USER 'b' belongs dba group.

My questions are :

*1.why OS user can access database with oinstall group ?*
*2.why OS user can't access database with dba group ?*

Note: This is concept of oracle

**To connect as sysdba using OS Authe*ntication ; UNIX OS user must be a part of OSDBA (dba) group.*
Once the user is part of OSDBA group.


but in dba group with os user 'b' , can't connect sqlplus , what's the real problem here ?

version : 10gr2
*$ uname -a*
Linux testorcl 2.6.9-42.0.0.0.1.ELsmp #1 SMP Sun Oct 15 14:02:40 PDT 2006 i686 athlon i386 GNU/Linux

Edited by: 952909 on Jan 4, 2013 1:03 PM
  • 1. Re: Problemm with dba group vs oinstall group
    Dude! Guru
    Currently Being Moderated
    It seems to be working as it should, but the software is not setup correctly.

    <pre>
    sqlplus /nolog
    </pre>

    This starts the sqlplus executable, but does not prompt for username or password, and does not connect to the database. For administrative access, you will still need to issue "connect / as sysdba".

    <pre>
    sqlplus / as sysdba
    </pre>

    The OSDBA group name is linked in the oracle executable during the installation process. It is actually set in $ORACLE_HOME/rdbms/lib/config.c, and is is usually DBA. To use OS authentication for administrative access, any user needs to be part of the OSDBA group.

    For any user to be able to run sqlplus, the user needs to have read and write access to the installed Oracle software.
    For any user to be able to have administrative access to the Oracle database and use OS authentication, the user needs to belong to the OSDBA group.
    1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a
    Your permissions are set incorrectly.

    Only user "oracle" or any user belonging to the "oinstall" group are able to read the files. User "a" in your example can run the sqplus executable, but will not have administrative access to the Oracle database. User "b" in your example is part of the DBA group to satisfiy Oracle's internal OSDBA requirement, but has no execute or read permission at the OS level.

    You can solve the problem by changing the permissions from 750 to 775. It is mentioned in the Oracle installation guide when setting up the Oracle software directory. You may have to reinstall the software, or under 10g try:

    $ cd $ORACLE_HOME/install
    $ ./changePerm.sh
  • 2. Re: Problemm with dba group vs oinstall group
    955912 Explorer
    Currently Being Moderated
    Hi dude ;

    Thanks for your reply.

    So , You suggest me to change install directory permission from 750 to 775.


    $ cd install
    [oracle@testorcl install]$ ls -l
    total 240
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed1.sh
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed.sh
    -rw-r-----  1 oracle oinstall    977 Dec 24 03:29 envVars.properties
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:26 jlib
    -rw-r-----  1 oracle oinstall 194849 Dec 24 03:29 make.log
    -rwxr-xr-x  1 oracle oinstall      0 Dec 24 03:29 oratab
    -rw-r-----  1 oracle oinstall    132 Dec 24 04:01 portlist.ini
    -rw-r-----  1 oracle oinstall    221 Dec 24 04:02 readme.txt
    -rwxr-xr-x  1 oracle oinstall    824 Dec 24 03:28 rootdeletenode.sh
    -rw-r-----  1 oracle oinstall   9646 Dec 24 03:28 rootlocaladd
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 seed.log
    -rw-r-----  1 oracle oinstall   2800 Jun  7  2005 templocal
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:29 unix
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:28 utl

    *>> Permission changed as per your suggestion >>*

    *[oracle@testorcl db_1]$ chmod 775 install*
    *[oracle@testorcl db_1]$ ls -l*
    drwxrwxr-x   5 oracle oinstall   4096 Dec 24 04:02 install

    *>> Trying to find changePerm.sh >>*

    [oracle@testorcl db_1]$ cd install
    [oracle@testorcl install]$ ./changePerm.sh
    -bash: ./changePerm.sh: No such file or directory
    [oracle@testorcl install]$ cd

    [oracle@testorcl ~]$ whereis changePerm.sh
    changePerm:
    [oracle@testorcl ~]$

    In my testdb file not found ... Any suggestion  to find DUDE

    Please note :

    http://www.oracle-base.com/articles/10g/oracle-db-10gr2-installation-on-rhel-4.php

    Installation Doc did n't say anything to change permission related to install group +( from 750 to 775 )+

    Can you please clarify this ?

    Thanks Dude ..
  • 3. Re: Problemm with dba group vs oinstall group
    955912 Explorer
    Currently Being Moderated
    Hi Dude ;

    Our following steps to install oracle

    Step 5:

    *>> Create the new groups and users >>*

    # groupadd oinstall
    # groupadd dba
    # useradd -g oinstall -G dba oracle
    # passwd xxxxxx

    *>> Create the directories , Oracle software will be installed. >>*

    # mkdir -p /u01/app/oracle/product/10.2.0/db_1
    # chown -R oracle.oinstall /u01

    Here , As per your 1st reply , what's is the need to change here ?
  • 4. Re: Problemm with dba group vs oinstall group
    Dude! Guru
    Currently Being Moderated
    So , You suggest me to change install directory permission from 750 to 775.
    You need to change not only the directory permissions, but also change files inside accordingly, e.g. 775 or 771. 775 means, owner and group has read+write+execute, anyone else read+execute. If a user is not the oracle owner nor in the oinstall group, then permissions for others apply. Hence you need world read+execute for executable files.

    Users in the oinstall group need rwx to perform Oracle installation tasks, but not necessarily DBA access.

    Alternatively you could probably get rid of the oinstall group. In this case you will need the oracle account for software installations. Then you can set DBA group instead of oinstall. This way a user who belongs to DBA (OSDBA) has also read+execute access. It will still be a problem though if you want to give a user access without administrative privileges.
    -bash: ./changePerm.sh: No such file or directory
    I don't have 10g installed. It's obsolete. So I cannot verify where it is, but there are plenty of references in Google. You can search for it.
    Installation Doc didn't say anything to change permission related to install group ( from 750 to 775 )
    You might want to check the Oracle installation guide:

    http://www.oracle.com/pls/db102/homepage
    http://docs.oracle.com/cd/B19306_01/install.102/b15667/pre_install.htm#CHDHHEFG
  • 5. Re: Problemm with dba group vs oinstall group
    955912 Explorer
    Currently Being Moderated
    Hi Dude ;

    Ok .. I planned to change few thing like this ..

    Step 5:

    *>> Create the directories , Oracle software will be installed. >>*

    # mkdir -p /u01/app/oracle/product/10.2.0/db_1
    # chown -R oracle.dba /u01

    IS this recommended ?

    i mean oracle user with dba group instead of oinstall group.
  • 6. Re: Problemm with dba group vs oinstall group
    955912 Explorer
    Currently Being Moderated
    Hi dude ;

    I tried to find that fille but getting error. Can u suggest what should i do here ?

    *$ locate changePerm.sh*

    warning: locate: could not open database: /var/lib/slocate/slocate.db: No such file or directory
    warning: You need to run the 'updatedb' command (as root) to create the database.
    Please have a look at /etc/updatedb.conf to enable the daily cron job
  • 7. Re: Problemm with dba group vs oinstall group
    Dude! Guru
    Currently Being Moderated
    Is this recommended ?
    It's not a current standard, but was in earlier versions. It is possible to do. However, I suggest to follow the Oracle documentation. See previous link.

    It will probably be easier for you to reinstall the software than trying to fix your failed installation.

    Please note that here is a separate forum for Oracle Database installation issues. It will be more suitable for these kind of questions:
    Installation

    I suggest to close here and create a new thread there, with a reference link to this post.
    warning: locate: could not open database: /var/lib/slocate/slocate.db: No such file or directory
    See "man locate" for info. If you don't know how to search for a file, try:

    find /u01 -name "changePerm.sh"

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points