sunhux
asked on
installing/patching Oracle 11g, 12c, 19c requires umask of 022 (& umask 027 wont work)?
our DBA shared that he would run into issues with installing or applying Oracle 11g patches
if 'umask 027' is set & he requires it to be 'umask 022' (basically rwxr-xr-x for all Oracle DB
or its related files & folders).
Q1:
Is it the right practice for him to set either global umask (in /etc/profile) or Oracle's (in
$ORACLE_HOME/.profile)?
Or only set 'umask 022' in $ORACLE_HOME/.profile for the session he's installing/patching
& once it's over, set it back to 'umask 027'? External audit requires that we set individual
users' as well as global (in /etc/profile) umask to minimally 027
Q2:
Or what's the recommended practice??
Q3:
My gut feel is to identify which files/folders Oracle installation/patching requires &
set using Linux's (we use Oracle linux & RHEL 7) the relevant ACLs to give a granular
permission ie to fulfill 'need-to basis' : so we don't just grant entire group or 'Others'
Read (& Execute) unnecessarily. If we should adopt the ACL method, can anyone
share which files/folders in Oracle 12c & 19c requires which id (oracle id?) what
types of access (read, execute, write?)
if 'umask 027' is set & he requires it to be 'umask 022' (basically rwxr-xr-x for all Oracle DB
or its related files & folders).
Q1:
Is it the right practice for him to set either global umask (in /etc/profile) or Oracle's (in
$ORACLE_HOME/.profile)?
Or only set 'umask 022' in $ORACLE_HOME/.profile for the session he's installing/patching
& once it's over, set it back to 'umask 027'? External audit requires that we set individual
users' as well as global (in /etc/profile) umask to minimally 027
Q2:
Or what's the recommended practice??
Q3:
My gut feel is to identify which files/folders Oracle installation/patching requires &
set using Linux's (we use Oracle linux & RHEL 7) the relevant ACLs to give a granular
permission ie to fulfill 'need-to basis' : so we don't just grant entire group or 'Others'
Read (& Execute) unnecessarily. If we should adopt the ACL method, can anyone
share which files/folders in Oracle 12c & 19c requires which id (oracle id?) what
types of access (read, execute, write?)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So setting 'umask 022' just before installation/patching should be good enough
& once it's over, it should be fine to set 'umask 027" thereafter?
We'll adopt this practice then as the patches only get applied once every 3-6
months so it's not too much of a hassle to change the umask once every 3-6
months.
in any case, is there an Oracle doc that lists which particular Oracle-related
files/folders need to be in rwxr-xr-x (ie resulting from umask 022 setting)?
& once it's over, it should be fine to set 'umask 027" thereafter?
We'll adopt this practice then as the patches only get applied once every 3-6
months so it's not too much of a hassle to change the umask once every 3-6
months.
in any case, is there an Oracle doc that lists which particular Oracle-related
files/folders need to be in rwxr-xr-x (ie resulting from umask 022 setting)?
ASKER
not even logfiles should be group/world readable.
Any concern if we set it to 022 during installation & once over, set it back to
umask 027?