Showing results for 
Search instead for 
Did you mean: 

"best practice"

Occasional Advisor

"best practice"


Executing does not need to happen to often, I know. But when you have 200 Oracle servers, changes are big "" has to be executed nevertheless once or more a week (200 servers, 1 patching per year --> more or less 1 server a day)

DBA's don't get root access, period !

We need to find a trick, and I'm convinced that sudo does this trick very well. Maybe also rbac.

I just wanted to ask you as the community for some tipes and tricks, especially about the fact that "" is writable by oracle-user, so if oracle-user wants to be nasty, he can....


Raf L
Richard Hepworth
Esteemed Contributor

Re: "best practice"

Hi there,

sudo does do the trick as you say but the risk is there with being editable by the oracle user. I guess it comes down to trust mainly, either trust the dba's to do their job or keep the overhead of running for them yourselves (which is not the worlds most exciting part of being a sysadmin ;-) ).

If using sudo make sure you enter the full path to most common's in the sudoers file
Mel Burslan
Honored Contributor

Re: "best practice"

I second the opinion above. Running being the most mundane thing in your day, it still is a necessary evil.

even though as sysadmins, we generally trust the DBAs and run the script unquestioned, in fact it needs to be scrutinized before each run as some malicious code might get inserted in it.

running scripts as root via sudo is a generally frowned upon practice due to the gaping security holes it introduces.

Good luck
UNIX because I majored in cryptology...
Bart Paulusse
Respected Contributor

Re: "best practice"

Hi Raf,

The actions performs are not rocket science. A few chmod, mkdir and cp commands, that's all. The only real reason for to be executed as user root are these 2 lines:
"$CHOWN root $ORACLE_HOME/bin/dbsnmp"
"$CHOWN root $ORACLE_HOME/bin/oradism"

You could create your own substitute script, UNWRITABLE but executable for the oracle user, and in the script, you perform the commands with sudo.

That way, you prevent abuse of the script and you don't have to give your dba's root access.
It may mean that you have to create a few versions because the script may vary from release to release.

Eric Antunes
Honored Contributor

Re: "best practice"


I think the best aproach would be to create a new user with root access and password aging for DBA's.

dba's would be required to inform previously sysadmin before kinds of maintenance.

PS: I'm dba and sysadmin and the me sysadmin has never had reasons for complaints about me dba. ;-)

Best Regards,

Eric Antunes
Each and every day is a good day to learn.