Link to home
Create AccountLog in
Avatar of sunhux
sunhux

asked on

installing/patching Oracle 11g, 12c, 19c requires umask of 022 (& umask 027 wont work)?

our DBA shared that he would run into issues with installing or applying Oracle 11g patches
if 'umask 027' is set  & he requires it to be 'umask 022'  (basically rwxr-xr-x  for all Oracle DB
or its related files &  folders).

Q1:
Is it the right practice for him to set  either  global umask (in /etc/profile) or Oracle's  (in
$ORACLE_HOME/.profile)?

Or only set  'umask 022' in $ORACLE_HOME/.profile for the session he's installing/patching
& once it's over, set it back to 'umask 027'?   External audit requires that we set individual
users'  as well as global (in /etc/profile) umask to minimally 027

Q2:
Or what's the recommended practice??

Q3:
My gut feel is to identify which files/folders  Oracle installation/patching requires &
set using Linux's  (we use Oracle linux & RHEL 7)  the relevant ACLs to give a granular
permission ie to fulfill 'need-to basis' : so we don't just grant entire group or 'Others'
Read (& Execute)  unnecessarily.  If we should adopt the ACL method,  can anyone
share which files/folders in Oracle 12c & 19c requires which id (oracle id?) what
types of access (read, execute, write?)
SOLUTION
Avatar of Ora_Techie
Ora_Techie

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of sunhux
sunhux

ASKER

Both links recommend umask 022 but this is precisely what auditors don't want,
not even logfiles should be group/world readable.

Any concern if we set it to 022 during installation & once over, set it back to
umask 027?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of sunhux

ASKER

So setting 'umask 022' just before installation/patching should be good enough
& once it's over, it should be fine to set 'umask 027" thereafter?

We'll adopt this practice then as the patches only get applied once every 3-6
months so it's not too much of a hassle to change the umask once every 3-6
months.

in any case, is there an Oracle doc that lists which particular Oracle-related
files/folders need to be in rwxr-xr-x (ie  resulting from umask 022  setting)?