Blogsinforadar's blog

Unix/Linux: Sharing Oracle owned directories/files with other users using ACL

Submitted by inforadar on Thu, 06/03/2010 - 21:40
Tags:

Nobody wants to give 777 permissions to users on a production environment, I also wanted to keep few application users away from my oracle server software and so I installed a separate oracle client for them and provided permissions on the same to a specific user/group.  Also the Oracle generated files like datapump exports/traces can have ownership as oracle:dba and non dba gorup users cant access it. But using ACL, we can give appropriate permissions to users without having to give permissions to world. (Another way is to add the 2 users in one group and set group level permissions but this may not always be feasible)

So here are few notes on ACL (Access Control List)

For "Others" to be able to access the Oracle Executable

myserver:/myetl > sqlplus  
-bash: sqlplus: command not found  
myserver:/myetl > su -  
Password:  
[root@myserver ~]# cd /export/apps/oracli/  
[root@myserver oracli]# ls  
10.2.0  lost+found  
[root@myserver oracli]# setfacl -Rm u:myetl:rwx * 10.2.0/  
[root@myserver oracli]# getfacl –all-effective 10.2.0/  
# file: 10.2.0  
# owner: oracle  
# group: dba  
user::rwx  
user:myetl:rwx               #effective:rwx  
group::r-x                      #effective:r-x  
mask::rwx  
other::—

myserver:/myetl > sqlplus system@prdoms

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Mar 14 11:42:39 2008

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter password:

Connected to:  
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production  
With the Partitioning, OLAP and Data Mining options

SQL>  

For Oracle to be able to write to directory owned by "others"

[root@myserver oracli]# cd /myetl  
[root@myserver myetl]# ls -l  
total 28  
drwxrwx— 13 myetl myetl  4096 Mar 14 11:31 archive  
drwxr-xr-x  5 myetl myetl  4096 Mar 14 11:35 ext  
drwx——  2 root     root     16384 Mar 14 08:01 lost+found  
-rw-r–r–  1 root     root       878 Mar 14 11:28 sqlnet.log  
[root@myserver myetl]# rm sqlnet.log  
rm: remove regular file `sqlnet.log’? y  
[root@myserver myetl]# setfacl -Rm u:oracle::rwx *  
setfacl: Option -m: Invalid argument near character 10  
[root@myserver myetl]# ls -l  
total 24  
drwxrwx— 13 myetl myetl  4096 Mar 14 11:31 archive  
drwxr-xr-x  6 myetl myetl  4096 Mar 14 11:39 ext  
drwx——  2 root     root     16384 Mar 14 08:01 lost+found  
[root@myserver myetl]# setfacl -Rm u:oracle:rwx *  
setfacl: archive: Operation not supported  
setfacl: archive/oess: Operation not supported  
setfacl: archive/pps: Operation not supported  
setfacl: archive/cbh: Operation not supported  
setfacl: archive/bhsi: Operation not supported   <–These errors are due to the filesystem not being mounted with ACL support. To resolve, please continue to read…

vi /etc/fstab

Changed : /dev/vol01/myetl       /myetl     ext3    defaults        1 2  
to  
/dev/vol01/myetl       /myetl     ext3    defaults,acl        1 2

umount /myetl  
mount /etl

setfacl -Rm u:oracle:rwx *  
setfacl -Rm g:dba:rwx *

getfacl –all-effective *

[root@myserver myetl]# getfacl –all-effective *  
# file: archive  
# owner: myetl  
# group: myetl  
user::rwx  
user:oracle:rwx                 #effective:rwx  
group::rwx                      #effective:rwx  
group:dba:rwx                   #effective:rwx  
mask::rwx  
other::—