Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Read only access to a user

Posted on 2016-07-27
5
Medium Priority
?
281 Views
Last Modified: 2016-08-30
Hi,

  I have an Oracle databases running in a Linux server.

  The Oracle Base folder includes Oracle Homes and others ORA files/configurations.

   I have an issue with a user that needs access to the ORACLE Base folder, but i can only give it read only access so that she/he will be able to connect to the server using Putty or WinSCP and be able to view only the Oracle files and anything in the ORA home with read mode access.

  A local user in the server is what they are asking for.

  Is like create a user with read only access to the entire directory /opt/app/oracle.

  How to create a user that has such privileges and that it does not affect my current Oracle installations and configurations.

  Regards,

     Joe Echavarría -
0
Comment
Question by:joe_echavarria
5 Comments
 
LVL 78

Expert Comment

by:slightwv (䄆 Netminder)
ID: 41732064
UNIX permissions are UNIX permissions.  If World has read/execute, then ANY user on the system can read/execute.

I believe you will find several programs with Oracle that has World read/execute.

There are also some files that you might not want ANY user to be able to read.

So, I'm not sure you can achieve what you are wanting.
0
 
LVL 35

Accepted Solution

by:
Mark Geerlings earned 2000 total points
ID: 41733360
In my understanding, Linux doesn't directly support exactly what you are asking for, a "read only user" account in the O/S.  You may be able to get that effect, *IF ALL* of the files in the /opt/app/oracle directory (and sub-directories have "world read" permissions).  You would also have to make sure that the /opt/app/oracle directory (and *ALL* sub-directories) have "world execute" permission, to allow a user to navigate into the directory to be able to read the files it contains.  But, this is likely not what a typical Oracle install gives you by default on Linux.

You could create a new Linux user and make sure that user account does *NOT* include the dba or oinstall groups (or any other group that files in the /opt/app/oracle directory belong to now).  Then, as root, you could recursively add "world read" permission to all files in the /opt/app/oracle directory structure, and add "world execute" to all sub-directories in and under the the /opt/app/oracle directory.  Test this in a non-production system before you try it in production though.

Another option would be for you to re-locate files (like trace, log and output files) outside of the /opt/app/oracle directory to other locations, then make these other locations available to your new Linux user.  That way, the Oracle_home directory structure contains just the Oracle executable files, and most likely your other user doesn't need access to them at all.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 41733489
if your linux supports SELinux, you could try that as a means of defining a policy for all of those objects.  (RedHat and Oracle do)

I will admit I have not attempted such, but my understanding (albeit limited) of that functionality is it will allow granular control of privileges as you have described.
0
 
LVL 21

Expert Comment

by:tfewster
ID: 41733839
I believe it can be done safely with sudo; Allow the user to execute
ls /opt/app/oracle/*
cat /opt/app/oracle/*
(and tail -f is handy)
 as root.

That allows them to do slightly more sophisticated stuff like
`sudo cat /opt/app/oracle/restrictedfile |sed` ; Note that sed is executed as the unprivileged id, not root. (It may be possible to escape pipes and redirects to abuse this - I don't know)

Don't give them sudo rights to view or sed, as those commands can be abused; If they need to do anything like that with the file, they can `cat restrictedfile > /tmp/mycopy` and play with it there.
0
 
LVL 38

Expert Comment

by:Geert Gruwez
ID: 41740485
does the user really need access to the server ?
to access trace files i copy those to a shared location

Recent versions of toad have the ability to read/analyze trace files
However, toad thinks it wants access to the database server for this.
Placing the files in a shared location also works
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cursors in Oracle: A cursor is used to process individual rows returned by database system for a query. In oracle every SQL statement executed by the oracle server has a private area. This area contains information about the SQL statement and the…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question