10 Replies Latest reply: Jun 19, 2013 8:26 AM by 988012 RSS

    file permissions on data pump exports

    user577202
      The data pump export files have the file permission set to 640 owned by the oracle software owner. In our case, owner 'oracle', group 'dba'. We would like schema owners to have read access to the export files. I have not been able to find any parameter which allows for the file permission to be reset to say 644. Does anyone know of a parameter or method to have the export files created with more relaxed file permissions? Thanks.
        • 1. Re: file permissions on data pump exports
          247514
          permission 640 is OS level file permission while schema owners are Oracle users. Therefore, changing file permission to 644 on OS level has no effect for schema holders.

          The data pump export files will be read/write by OS user 'oracle' no matter which Oracle user you use to do export/import.
          • 2. Re: file permissions on data pump exports
            ajallen
            The parameter that controls this is likely umask. It is an OS setting and is used to set the default permissions for files and directories created by a user -- in your case, likely oracle.

            There are security ramifications to changing this setting as it will also affect the permissions of data files as they are created.

            You could, possibly, create a cron script to change permissions for all files in a given directory to give read to the application users. May be run this every 10 minutes, or so.
            • 3. Re: file permissions on data pump exports
              19426
              Oracle software installation user is a critical userid, don't open a security hole. It's better to create a specific application user with less database privileges than 'oracle' (especially not part of 'dba' group), which performs datapump.

              Werner
              • 4. Re: file permissions on data pump exports
                247514
                Oracle software installation user is a critical
                userid, don't open a security hole. It's better to
                create a specific application user with less database
                privileges than 'oracle' (especially not part of
                'dba' group), which performs datapump.

                Werner
                Hi Werner,

                Do you have living example of changing OS level user to read/write datapump files?
                According to Oracle Document, I don't think it's possible.

                Yingkuan
                • 5. Re: file permissions on data pump exports
                  19426
                  I think Ajallen is right, the actual dumpfile is created by the OS and the file permissions depend on 'umask' setting of the particular user. Of course additionally we need read-write access on the datapump directory level.

                  Werner
                  • 6. Re: file permissions on data pump exports
                    247514
                    I think Ajallen is right, the actual dumpfile is
                    created by the OS and the file permissions depend on
                    'umask' setting of the particular user. Of course
                    additionally we need read-write access on the
                    datapump directory level.

                    Werner
                    No, 'umask' setting of user doing data pump will not affect default permission of dump file in OS level. Oracle will default to 640 permission.

                    And Like I said, the dump file will by default owned by 'oracle' user
                    %umask
                    22
                    %expdp userid=system schemas=testuser directory=imp_dir
                    %ls -ltr
                    -rw-r-----  1 oracle dba 205586432 May 29 13:40 expdat.dmp
                    • 7. Re: file permissions on data pump exports
                      812405
                      I realize this is an old posting but thought this additional information may be of use to anyone that finds it as I did while looking for work arounds for this issue.

                      If your dump directory is owned by an application user you can issue a "chmod g+s <dump directory name>". This will cause newly created files (including .dmp files created by expdp) to inherit the group from the dump directory rather than end up with the "dba" group. So then you are in control. Initially the owner ofthe file will still be "oracle" but once you compress or copy the file it will be owned by the user who executed that command. At this point the "oracle" user won't be able to read the file so you will have to issue a "chmod o+r <file name>" to allow impdp to work for the file.
                      • 8. Re: file permissions on data pump exports
                        user9067434
                        The previous post is the perfect solution we needed. Setting the sticky bit is simple and efficient.
                        • 9. Re: file permissions on data pump exports
                          852824
                          Many thanks to James Sinnott - your solution is excellent!
                          • 10. Re: file permissions on data pump exports
                            988012

                            could you please elaborate more how to user "chmod g+s <dump directory name>"

                            after firing this on on directory still new file permissions remains with oracle only. Other user do not get permission to do any operations on the dump file.