Databases
cancel
Showing results for 
Search instead for 
Did you mean: 

Question on 'setuid' when starting up Oracle instance as a member of OS dba group

Judy Xiao
Occasional Contributor

Question on 'setuid' when starting up Oracle instance as a member of OS dba group

I'm Oracle DBA switching from Solaris/Linux to HP-UX recently. I'd appreciate some help from this forum on explaining how 'setuid' for oracle binary works differently on HP-UX when different DBA members start up database using their own unix accounts. I did not see any problem before with Solaris/Linux.

Both OS 'oracle' user and our DBAs are in the OS dba group. The OS 'oracle' user is the oracle binary owner. With the 'setuid/setgid' set on the oracle binary ($ORACLE_HOME/bin/oracle), Oracle allows the specific users (that are in OS dba group) to connect to db as SYSOPER/SYSDBA and to perform STARTUP/SHUTDOWN db without switching to OS user 'oracle'.

>ls -l $ORACLE_HOME/bin/oracle
-rwsr-s--x 1 oracle dba 38524376 Oct 16 2005 /opt/oracle/product/ora8174_64/bin/oracle

>more /etc/group | grep dba
dba::203:oracle,dbauser2,dbauser3,dbauser1,oraapp2

>more /etc/passwd | grep oracle
oracle:x:301:203::/home/oracle:/usr/bin/ksh

>more /etc/passwd | grep dbauser1
dbauser1:x:24037:203::/home/dba/dbauser1:/usr/bin/ksh

My question is that, when a dba user starts up the oracle instance as himself, the oracle processes are supposed to be owned by the oracle binary owner 'oracle' (seen on Solaris/Linux); while on HP-UX 11.23 now, we noticed that the db starter (i.e. dbauser1 in this case) appears to be the owner of those processes.

>id
uid=24037(dbauser1) gid=203(dba)

SQL> !ps -efa | grep dbauser1
dbauser1 25590 1 0 Sep 24 ? 7:50 ora_dbw0_ORCL
dbauser1 12214 1 0 Sep 24 ? 7:09 ora_arc1_ORCL
dbauser1 25604 1 0 Sep 24 ? 0:00 ora_reco_ORCL
dbauser1 25594 1 0 Sep 24 ? 7:49 ora_dbw2_ORCL
dbauser1 25602 1 0 Sep 24 ? 0:53 ora_smon_ORCL
dbauser1 25592 1 0 Sep 24 ? 7:48 ora_dbw1_ORCL
dbauser1 4134 4131 0 10:16:43 pts/te 0:00 -ksh
dbauser1 25606 1 0 Sep 24 ? 77:47 ora_snp0_ORCL
dbauser1 6693 4134 0 10:20:13 pts/te 0:00 sqlplus / as sysdba
dbauser1 25588 1 0 Sep 24 ? 0:50 ora_pmon_ORCL
dbauser1 25598 1 0 Sep 24 ? 59:09 ora_lgwr_ORCL
dbauser1 6736 6735 8 10:20:39 pts/te 0:00 ps -efa
dbauser1 25596 1 0 Sep 24 ? 7:52 ora_dbw3_ORCL
dbauser1 6735 6693 0 10:20:39 pts/te 0:00 grep dbauser1
dbauser1 6697 1 0 10:20:13 ? 0:00 oracleORCL
(DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))
dbauser1 25600 1 0 Sep 24 ? 1:58 ora_ckpt_ORCL
dbauser1 25608 1 0 Sep 24 ? 9:13 ora_arc0_ORCL

This may be good to show the real userid on HP-UX but seems to be confusing because we may wonder if it's safe to have an individual owns the oracle processes.

I checked the file /etc/mnttab on server and did not see the 'nosuid' option set for '/dev/vgsw01/lvol17' that is used by the oracle binary.

>more /etc/mnttab | grep /opt/oracle/product/ora8
......
/dev/vgsw01/lvol17 /opt/oracle/product/ora8174_64 vxfs
ioerror=mwdisable,delaylog,dev=40120011 0 0 1156705448
/dev/vgsw01/lvol16 /opt/oracle/product/ora816_64 vxfs
ioerror=mwdisable,delaylog,dev=40120010 0 0 1156705448
......
-hosts /net autofs ignore,indirect,nosuid,soft,nobrowse,dev=60000000 0 0
1156705509
/etc/auto.direct /opt/pvcs autofs ignore,direct,dev=60000001 0 0 1156705509
......

Moreover, there's no error message or trace file generated, and the newly generated database files are all belong to 'oracle' user. The only question shown is the ownership of the background processes.

So we wonder if this is something unique/different with OS(HP-UX) or there's still something wrong?

Thanks in advance!