Solved

Read only access to a user

Posted on 2016-07-27
5
94 Views
Last Modified: 2016-08-30
Hi,

  I have an Oracle databases running in a Linux server.

  The Oracle Base folder includes Oracle Homes and others ORA files/configurations.

   I have an issue with a user that needs access to the ORACLE Base folder, but i can only give it read only access so that she/he will be able to connect to the server using Putty or WinSCP and be able to view only the Oracle files and anything in the ORA home with read mode access.

  A local user in the server is what they are asking for.

  Is like create a user with read only access to the entire directory /opt/app/oracle.

  How to create a user that has such privileges and that it does not affect my current Oracle installations and configurations.

  Regards,

     Joe Echavarría -
0
Comment
Question by:joe_echavarria
5 Comments
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 41732064
UNIX permissions are UNIX permissions.  If World has read/execute, then ANY user on the system can read/execute.

I believe you will find several programs with Oracle that has World read/execute.

There are also some files that you might not want ANY user to be able to read.

So, I'm not sure you can achieve what you are wanting.
0
 
LVL 34

Accepted Solution

by:
Mark Geerlings earned 500 total points
ID: 41733360
In my understanding, Linux doesn't directly support exactly what you are asking for, a "read only user" account in the O/S.  You may be able to get that effect, *IF ALL* of the files in the /opt/app/oracle directory (and sub-directories have "world read" permissions).  You would also have to make sure that the /opt/app/oracle directory (and *ALL* sub-directories) have "world execute" permission, to allow a user to navigate into the directory to be able to read the files it contains.  But, this is likely not what a typical Oracle install gives you by default on Linux.

You could create a new Linux user and make sure that user account does *NOT* include the dba or oinstall groups (or any other group that files in the /opt/app/oracle directory belong to now).  Then, as root, you could recursively add "world read" permission to all files in the /opt/app/oracle directory structure, and add "world execute" to all sub-directories in and under the the /opt/app/oracle directory.  Test this in a non-production system before you try it in production though.

Another option would be for you to re-locate files (like trace, log and output files) outside of the /opt/app/oracle directory to other locations, then make these other locations available to your new Linux user.  That way, the Oracle_home directory structure contains just the Oracle executable files, and most likely your other user doesn't need access to them at all.
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 41733489
if your linux supports SELinux, you could try that as a means of defining a policy for all of those objects.  (RedHat and Oracle do)

I will admit I have not attempted such, but my understanding (albeit limited) of that functionality is it will allow granular control of privileges as you have described.
0
 
LVL 20

Expert Comment

by:tfewster
ID: 41733839
I believe it can be done safely with sudo; Allow the user to execute
ls /opt/app/oracle/*
cat /opt/app/oracle/*
(and tail -f is handy)
 as root.

That allows them to do slightly more sophisticated stuff like
`sudo cat /opt/app/oracle/restrictedfile |sed` ; Note that sed is executed as the unprivileged id, not root. (It may be possible to escape pipes and redirects to abuse this - I don't know)

Don't give them sudo rights to view or sed, as those commands can be abused; If they need to do anything like that with the file, they can `cat restrictedfile > /tmp/mycopy` and play with it there.
0
 
LVL 37

Expert Comment

by:Geert Gruwez
ID: 41740485
does the user really need access to the server ?
to access trace files i copy those to a shared location

Recent versions of toad have the ability to read/analyze trace files
However, toad thinks it wants access to the database server for this.
Placing the files in a shared location also works
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
PL/SQL LOOP CURSOR 3 42
sql for Oracle views 8 38
Anti-virus for Linux Server 15 87
Oracle DATE Column Space 11 46
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now