7 Replies Latest reply: Jan 5, 2013 3:43 PM by Catch 22 RSS

    Problemm with dba group vs oinstall group

    955912
      Hi to all ;


      This is related to oracle as well as some os related security problems. please clarify it.
      I tried but couldn't solve it All information's given here ..

      Testing from user 'A'

      +# useradd -m -g oinstall a+

      +# passwd a+

      Changing password for user a.

      New UNIX password:

      BAD PASSWORD: its WAY too short

      Retype new UNIX password:

      passwd: all authentication tokens updated successfully.

      su - a

      +[a@testorcl ~]$ export+

      ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1

      +$ export PATH=$PATH:$ORACLE_HOME/bin+

      +$ export ORACLE_SID=testdb+

      +$ sqlplus /nolog+

      SQL*Plus: Release 10.2.0.1.0 - Production on Thu Jan 3 01:33:49 2013
      Copyright (c) 1982, 2005, Oracle.  All rights reserved.

      Testing From user 'b' :


      +# useradd -m -g dba b+

      +# passwd b+

      Changing password for user b.

      New UNIX password:

      BAD PASSWORD: its WAY too short

      Retype new UNIX password:

      passwd: all authentication tokens updated successfully.

      su - b

      Password:

      +$ export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1+

      +$ export PATH=$PATH:$ORACLE_HOME/bin+

      +$ export ORACLE_SID=testdb+

      +$ sqlplus /nolog+

      sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

      *>> From oracle user finding libsqlplus.so >>*

      *[oracle@testorcl ~]$*
      *$ find / -name libsqlplus\* -ls 2>/dev/null*

      +1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a+
      +1378193 1028 -rw-r----- 1 oracle oinstall 1047293 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.so+

      SQLPLUS LOCATION with associated group

      +$ ls -l $ORACLE_HOME+
      drwxr-x--- 9 oracle oinstall 4096 Dec 24 03:28 sqlplus

      Please Note :

      USER 'a' belongs oinstall group.
      USER 'b' belongs dba group.

      My questions are :

      *1.why OS user can access database with oinstall group ?*
      *2.why OS user can't access database with dba group ?*

      Note: This is concept of oracle

      **To connect as sysdba using OS Authe*ntication ; UNIX OS user must be a part of OSDBA (dba) group.*
      Once the user is part of OSDBA group.


      but in dba group with os user 'b' , can't connect sqlplus , what's the real problem here ?

      version : 10gr2
      *$ uname -a*
      Linux testorcl 2.6.9-42.0.0.0.1.ELsmp #1 SMP Sun Oct 15 14:02:40 PDT 2006 i686 athlon i386 GNU/Linux

      Edited by: 952909 on Jan 4, 2013 1:03 PM
        • 1. Re: Problemm with dba group vs oinstall group
          Catch 22
          It seems to be working as it should, but the software is not setup correctly.

          <pre>
          sqlplus /nolog
          </pre>

          This starts the sqlplus executable, but does not prompt for username or password, and does not connect to the database. For administrative access, you will still need to issue "connect / as sysdba".

          <pre>
          sqlplus / as sysdba
          </pre>

          The OSDBA group name is linked in the oracle executable during the installation process. It is actually set in $ORACLE_HOME/rdbms/lib/config.c, and is is usually DBA. To use OS authentication for administrative access, any user needs to be part of the OSDBA group.

          For any user to be able to run sqlplus, the user needs to have read and write access to the installed Oracle software.
          For any user to be able to have administrative access to the Oracle database and use OS authentication, the user needs to belong to the OSDBA group.
          1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a
          Your permissions are set incorrectly.

          Only user "oracle" or any user belonging to the "oinstall" group are able to read the files. User "a" in your example can run the sqplus executable, but will not have administrative access to the Oracle database. User "b" in your example is part of the DBA group to satisfiy Oracle's internal OSDBA requirement, but has no execute or read permission at the OS level.

          You can solve the problem by changing the permissions from 750 to 775. It is mentioned in the Oracle installation guide when setting up the Oracle software directory. You may have to reinstall the software, or under 10g try:

          $ cd $ORACLE_HOME/install
          $ ./changePerm.sh
          • 2. Re: Problemm with dba group vs oinstall group
            955912
            Hi dude ;

            Thanks for your reply.

            So , You suggest me to change install directory permission from 750 to 775.


            $ cd install
            [oracle@testorcl install]$ ls -l
            total 240
            -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed1.sh
            -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed.sh
            -rw-r-----  1 oracle oinstall    977 Dec 24 03:29 envVars.properties
            drwxr-x---  2 oracle oinstall   4096 Dec 24 03:26 jlib
            -rw-r-----  1 oracle oinstall 194849 Dec 24 03:29 make.log
            -rwxr-xr-x  1 oracle oinstall      0 Dec 24 03:29 oratab
            -rw-r-----  1 oracle oinstall    132 Dec 24 04:01 portlist.ini
            -rw-r-----  1 oracle oinstall    221 Dec 24 04:02 readme.txt
            -rwxr-xr-x  1 oracle oinstall    824 Dec 24 03:28 rootdeletenode.sh
            -rw-r-----  1 oracle oinstall   9646 Dec 24 03:28 rootlocaladd
            -rw-r-----  1 oracle oinstall      0 Jun  7  2005 seed.log
            -rw-r-----  1 oracle oinstall   2800 Jun  7  2005 templocal
            drwxr-x---  2 oracle oinstall   4096 Dec 24 03:29 unix
            drwxr-x---  2 oracle oinstall   4096 Dec 24 03:28 utl

            *>> Permission changed as per your suggestion >>*

            *[oracle@testorcl db_1]$ chmod 775 install*
            *[oracle@testorcl db_1]$ ls -l*
            drwxrwxr-x   5 oracle oinstall   4096 Dec 24 04:02 install

            *>> Trying to find changePerm.sh >>*

            [oracle@testorcl db_1]$ cd install
            [oracle@testorcl install]$ ./changePerm.sh
            -bash: ./changePerm.sh: No such file or directory
            [oracle@testorcl install]$ cd

            [oracle@testorcl ~]$ whereis changePerm.sh
            changePerm:
            [oracle@testorcl ~]$

            In my testdb file not found ... Any suggestion  to find DUDE

            Please note :

            http://www.oracle-base.com/articles/10g/oracle-db-10gr2-installation-on-rhel-4.php

            Installation Doc did n't say anything to change permission related to install group +( from 750 to 775 )+

            Can you please clarify this ?

            Thanks Dude ..
            • 3. Re: Problemm with dba group vs oinstall group
              955912
              Hi Dude ;

              Our following steps to install oracle

              Step 5:

              *>> Create the new groups and users >>*

              # groupadd oinstall
              # groupadd dba
              # useradd -g oinstall -G dba oracle
              # passwd xxxxxx

              *>> Create the directories , Oracle software will be installed. >>*

              # mkdir -p /u01/app/oracle/product/10.2.0/db_1
              # chown -R oracle.oinstall /u01

              Here , As per your 1st reply , what's is the need to change here ?
              • 4. Re: Problemm with dba group vs oinstall group
                Catch 22
                So , You suggest me to change install directory permission from 750 to 775.
                You need to change not only the directory permissions, but also change files inside accordingly, e.g. 775 or 771. 775 means, owner and group has read+write+execute, anyone else read+execute. If a user is not the oracle owner nor in the oinstall group, then permissions for others apply. Hence you need world read+execute for executable files.

                Users in the oinstall group need rwx to perform Oracle installation tasks, but not necessarily DBA access.

                Alternatively you could probably get rid of the oinstall group. In this case you will need the oracle account for software installations. Then you can set DBA group instead of oinstall. This way a user who belongs to DBA (OSDBA) has also read+execute access. It will still be a problem though if you want to give a user access without administrative privileges.
                -bash: ./changePerm.sh: No such file or directory
                I don't have 10g installed. It's obsolete. So I cannot verify where it is, but there are plenty of references in Google. You can search for it.
                Installation Doc didn't say anything to change permission related to install group ( from 750 to 775 )
                You might want to check the Oracle installation guide:

                http://www.oracle.com/pls/db102/homepage
                http://docs.oracle.com/cd/B19306_01/install.102/b15667/pre_install.htm#CHDHHEFG
                • 5. Re: Problemm with dba group vs oinstall group
                  955912
                  Hi Dude ;

                  Ok .. I planned to change few thing like this ..

                  Step 5:

                  *>> Create the directories , Oracle software will be installed. >>*

                  # mkdir -p /u01/app/oracle/product/10.2.0/db_1
                  # chown -R oracle.dba /u01

                  IS this recommended ?

                  i mean oracle user with dba group instead of oinstall group.
                  • 6. Re: Problemm with dba group vs oinstall group
                    955912
                    Hi dude ;

                    I tried to find that fille but getting error. Can u suggest what should i do here ?

                    *$ locate changePerm.sh*

                    warning: locate: could not open database: /var/lib/slocate/slocate.db: No such file or directory
                    warning: You need to run the 'updatedb' command (as root) to create the database.
                    Please have a look at /etc/updatedb.conf to enable the daily cron job
                    • 7. Re: Problemm with dba group vs oinstall group
                      Catch 22
                      Is this recommended ?
                      It's not a current standard, but was in earlier versions. It is possible to do. However, I suggest to follow the Oracle documentation. See previous link.

                      It will probably be easier for you to reinstall the software than trying to fix your failed installation.

                      Please note that here is a separate forum for Oracle Database installation issues. It will be more suitable for these kind of questions:
                      Database Installation

                      I suggest to close here and create a new thread there, with a reference link to this post.
                      warning: locate: could not open database: /var/lib/slocate/slocate.db: No such file or directory
                      See "man locate" for info. If you don't know how to search for a file, try:

                      find /u01 -name "changePerm.sh"