Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 368
  • Last Modified:

Read only access to a user

Hi,

  I have an Oracle databases running in a Linux server.

  The Oracle Base folder includes Oracle Homes and others ORA files/configurations.

   I have an issue with a user that needs access to the ORACLE Base folder, but i can only give it read only access so that she/he will be able to connect to the server using Putty or WinSCP and be able to view only the Oracle files and anything in the ORA home with read mode access.

  A local user in the server is what they are asking for.

  Is like create a user with read only access to the entire directory /opt/app/oracle.

  How to create a user that has such privileges and that it does not affect my current Oracle installations and configurations.

  Regards,

     Joe Echavarría -
0
joe_echavarria
Asked:
joe_echavarria
1 Solution
 
slightwv (䄆 Netminder) Commented:
UNIX permissions are UNIX permissions.  If World has read/execute, then ANY user on the system can read/execute.

I believe you will find several programs with Oracle that has World read/execute.

There are also some files that you might not want ANY user to be able to read.

So, I'm not sure you can achieve what you are wanting.
0
 
Mark GeerlingsDatabase AdministratorCommented:
In my understanding, Linux doesn't directly support exactly what you are asking for, a "read only user" account in the O/S.  You may be able to get that effect, *IF ALL* of the files in the /opt/app/oracle directory (and sub-directories have "world read" permissions).  You would also have to make sure that the /opt/app/oracle directory (and *ALL* sub-directories) have "world execute" permission, to allow a user to navigate into the directory to be able to read the files it contains.  But, this is likely not what a typical Oracle install gives you by default on Linux.

You could create a new Linux user and make sure that user account does *NOT* include the dba or oinstall groups (or any other group that files in the /opt/app/oracle directory belong to now).  Then, as root, you could recursively add "world read" permission to all files in the /opt/app/oracle directory structure, and add "world execute" to all sub-directories in and under the the /opt/app/oracle directory.  Test this in a non-production system before you try it in production though.

Another option would be for you to re-locate files (like trace, log and output files) outside of the /opt/app/oracle directory to other locations, then make these other locations available to your new Linux user.  That way, the Oracle_home directory structure contains just the Oracle executable files, and most likely your other user doesn't need access to them at all.
0
 
sdstuberCommented:
if your linux supports SELinux, you could try that as a means of defining a policy for all of those objects.  (RedHat and Oracle do)

I will admit I have not attempted such, but my understanding (albeit limited) of that functionality is it will allow granular control of privileges as you have described.
0
 
tfewsterCommented:
I believe it can be done safely with sudo; Allow the user to execute
ls /opt/app/oracle/*
cat /opt/app/oracle/*
(and tail -f is handy)
 as root.

That allows them to do slightly more sophisticated stuff like
`sudo cat /opt/app/oracle/restrictedfile |sed` ; Note that sed is executed as the unprivileged id, not root. (It may be possible to escape pipes and redirects to abuse this - I don't know)

Don't give them sudo rights to view or sed, as those commands can be abused; If they need to do anything like that with the file, they can `cat restrictedfile > /tmp/mycopy` and play with it there.
0
 
Geert GOracle dbaCommented:
does the user really need access to the server ?
to access trace files i copy those to a shared location

Recent versions of toad have the ability to read/analyze trace files
However, toad thinks it wants access to the database server for this.
Placing the files in a shared location also works
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now