Best practices with Oracle and root access

Geoff Wild · ‎02-09-2006

I'm looking for some sort of an official document (link/whitepaper) around Best Practices with Oracle and root access.

IMHO - no one other then a sysadmin needs root access.

I don't want this to be a rant, I'm looking for official doc(s)...so I can give to 1 Oracle admin who thinks he should have root access on the systems he supports.

Main reason - he doesn't want to "bother" us to run the root.sh script when doing installs or changes...

IMHO - why is it called root.sh - because Oracle (and SAP) want you to get a sysadmin to run that script for you.

Like I said, I don't need your opinions (as I'm sure they will be for the most part the same as mine) but I need some sort of document - and if it is from Orcale - so much the better - because this one DBA swears by everything put out by Oracle - IE - if Oracle says do this - he does.

Thanks...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

TwoProc · ‎02-09-2006

I don't think he's EVER going to find a document that says it's best practice to give a DBA sysadmin access.

I'm pretty the manual(s) tell you to run root.sh, etc as root, or get one to run it for you, and that's about the whole of it.

We are the people our parents warned us about --Jimmy Buffett

TwoProc · ‎02-09-2006

I don't think he's EVER going to find a document that says it's best practice to give a DBA sysadmin access.

I'm pretty sure the manual(s) tell you to run root.sh, etc as root, or get one to run it for you, and that's about the whole of it.

We are the people our parents warned us about --Jimmy Buffett

Jeff Schussele · ‎02-09-2006

Hi Geoff,

We don't give DBAs root access - ever.
We set up sudo rules for them to allow them to *only* do what they need to do.
If the don't tell us everything they need to do they have to wait until the next iterartion of the sudoers rule.
In emergencies we give them a "temp" rule to do what they need and then remove it when done.

My $0.02,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Jeff_Traigle · ‎02-09-2006

Quite honestly, this shouldn't be a matter of a best practice document to show him. It should be a clear security policy decision from management regarding separation of duties. Sys Admins don't touch the databases, especially as SYS or SYSTEM, and DBAs don't touch the systems as root. If management wants to play loosy-goosy with the privileges, that's their call, but, with SOX requirements, in most large organizations and many smaller ones the separation of accesses is a requirement and the information security folks will be rather harsh in their enforcement of compliance. Maybe you should send him to talk to them. :)

(BTW, I did a quick Yahoo! search and didn't find anything useful as far as a best practice document on the subject.)

--
Jeff Traigle

A. Clay Stephenson · ‎02-09-2006

Even allowing root.sh under sudo is a huge security risk because it is a shell script that is writable by oracle and could easily be modified and then sudo'ed. Before I ever run root.sh, I cksum it against my "as delivered" versions. I basically create a wrapper that does this check and then allow them to execute root.sh. The wrapper runs under sudo and is not writable by anyone except root nor is the directory that houses this wrapper writable by anyone except root.

My general method of heading DBA's off at the pass is "Give my your sys and system passwords." Generally they look at me like I'm insane. I can't be allowed access to their database! If they do give me their passwords, I immediately tell them that I have no need of those passwords and their release of the passwords indicates that they are not nearly security conscious enough to be granted super-user passwords.
Either way, they can't win.

If it ain't broke, I can fix that.

Alzhy · ‎02-09-2006

I use a timed and audited VNC session for my DBAs whenever they need root work.

Personally though - SysAdmins and really good UNIX persons make the best and most efficient Oracle DBAs. If you are a "good" DBA and you've no idea about the underlying OS and infrasrtcuture that you are runing your instance on - then how can you ensure your instance(s) is getting the best and proper environment. There are also tools/routines/teechniques that a UNIX/Admin savvy DBA can call/utilize to further improve productivity.

My few cents.

Hakuna Matata.

Alzhy · ‎02-09-2006

For some of their regular priveleged routines -- it sudo. We secure the scripts/files of course so they are not tempted to edit the script outside of change control.

Hakuna Matata.

John Payne_2 · ‎02-09-2006

Oracle has written a check into their root.sh script that checks for the effective user to be root, and exits if it that's not the case.

Generally the installer creates a new /etc/oratab or modifies it. It also creates or modifies the /var/opt/oracle file. For these reasons, they require root. (That's my guess, anyway.) You can get around that, if you wanted, by making permissions of those files appropriate for them to run as oracle. (Whether you should do this is really a question for you, not me.)

The script generally only takes a few seconds to run, it doesn't take a whole lot of time. I let our DBA's run this as root-priviledged themselves. (Sorry Clay) That doesn't mean I let them do anything else, I only trust them about as far as I can throw them...

In the past, they used to always call to have us run the file.

Hope it helps
John

Spoon!!!!

Steven E. Protter · ‎02-09-2006

You are right Geoff.

Oh and Shalom to you.

Oracle can be massively screwed up by having root access.

My Oracle DBA had root in Chicago because he was my backup. He never used it for dba tasks.

Note that Oracle sets up shared memory segments that you can view with the ipcs commands.

If the oracle dba does anything to a shared memory segment, runs the wrong utility as root or whatever, the segment is locked, the oracle user and database can not access it and the database crashes.

Very bad.

Now a doc. Or two.
http://www.google.co.il/group/comp.databases.oracle/browse_thread/thread/4ff31a8dfc6b58b7/16389f4eef802332%2316389f4eef802332?sa=X&oi=groupsr&start=2&num=3
Running root as internal
http://www.google.co.il/group/comp.databases.oracle.server/browse_thread/thread/d4d9a00908613f2c/475969081dafefd4%23475969081dafefd4?sa=X&oi=groupsr&start=1&num=3

A potential horror story:
http://lists.suse.com/archive/suse-oracle/2003-Mar/0189.html
http://www.oracle.com/technology/tech/linux/vmware/cookbook/stage2b_sles.html

The oracle dba's main reason is to not have to be root to run root.sh?

From experience and thats more important than any doc. You are right and he or she is wrong.

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Rick Garland · ‎02-09-2006

I have not seen such a document.
In regards to the root.sh script, as you are aware this is only run once during the install. DBAs do not need root access, EVER!

If this is such a worry, put them in sudoers for a limited time - until the database install is complete. Then yank him out.

Pat Obrien_1 · ‎02-09-2006

My DBA's don't require me to run this script very often. Once a quarter maybe for production systems. I use sudo, and it is so rare we have not made a rule there for them. Wonder why yours feels the need?

Indira Aramandla · ‎02-09-2006

Hi Geoff,

â Should DBA have root accessâ , this should not be a subject of a document of â Best Practicesâ .

Because a DBA will not require root access to perform his daily database administration tasks. Oracle, for example, has several tools with which you can administer Oracle itself, almost negating the need for a UNIX login altogether. One of these on the high-end being Enterprise manager, and on the other low-end being the Oracle client.

DBA's should have non-root access to the servers and would require a some sudo access. To run root.sh will not be a frequent job. It will be on new installations and patches which would be once in 6 months or so. DBAâ s require server access to troubleshoot their own backups and space issues.

It will be a good practice to build up a good rapport between the DBAâ s and Sysadmin teams in the events when some of the tasks of one team require the other team to run the jobs. This should be considered as sharing rather than â I donâ t want to bother you all the timeâ .

Another issue is server accountability within a given IT organization. How secure have you made your server. If the DBA's and Sysadmin's reported to the same supervisor, it will be a bad idea to share root access across food chains.

I once worked in an organisation where I was UNIX Sysadmin and the DBA. I also, worked at one firm where I had dba access with no root access. And I can say as a DBA with non-root access I could perform my instance admin tasks without any issues.

Indira A

Never give up, Keep Trying

Sanjay Kumar Suri · ‎02-09-2006

root access is only needed for runing root.sh during Oracle upgrade process. This is also mentioned in the Oracle upgrade document released by SAP: http://service.sap.com/instguides

Sample output from root.sh is enclosed below (to get an idea of what it does) during Oracle upgrade from 8i to 9i:

Enter the full pathname of the local bin directory: [/usr/local/bin]: press enter
(Backup the following three files)
The file "dbhome" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying dbhome to /usr/local/bin ...
The file "oraenv" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying oraenv to /usr/local/bin ...
The file "coraenv" already exists in /usr/local/bin. Overwrite it? (y/n) [n]: y
Copying coraenv to /usr/local/bin ...

Adding entry to /etc/oratab file...
Entries will be added to the /etc/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root.sh script

Yes you are right: It is called root.sh - because Oracle (and SAP) want you to get a sysadmin to run that script for you.

Oracle admin and OS admin are two different roles and should be performed by two differnt people. However in some organization it is done by one for shortage of manpower.

The reason given by DBA in this case does not hold. If DBA has to bother sysadm then he has to; especially in this case when sysadm would like OS to be protected from all quarter.

sks

A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.

Eric Antunes · ‎02-09-2006

Hi Geoff,

The question is not just about root.sh...

Yesterday, for example, I recovered a Production database and loose a day of work because of data corruption in the morning.

The solution was to place the 07 February end of the day database backup, change the system date BACKWARD from 09 to 08 February and redo all Wednesday work. Because I'm the system and database administrator, I didn't need to call anybody to change the date form me.

So, you won't find any satisfactory document about this question but in my opinion, in your situation you should avoid giving him direct access to root.

Best Regards,

Eric Antunes

Each and every day is a good day to learn.

Alzhy · ‎02-10-2006

Eric, you nailed it.

You epitomize the ideal System Administrator - who's also a Database Administrator. There are now actually enterprises out there who value (and require) System Admins also act as DBA's or vice versa. This increases the efficiency of overall administration of a system - by cutting the proverbial "how many XYZ Company IT hands is needed to fix a lightbulb" -

And some CIOs are now actually discovering that Small IT Shop techniques (i.e. IT Staff responsible for multipe roles) also apply to big IT shops.

And it cuts cost too! ;^)

Hakuna Matata.

Eric Antunes · ‎02-10-2006

Nelson, that's precisely my point of view. Specialization is good but it can't be too deep.

With Oracle, for example, the DBA must know until where he can increase the SGA without hurting the whole system (Paging out, etc...) and to achieve this he must be a system administrator too.

Best Regards,

Eric Antunes

Each and every day is a good day to learn.

Jeff Schussele · ‎02-10-2006

Eric/Nelson,

Well....you can get away with that in smaller organizations.
But we literally have dozens of DBAs & over a hundred SAs - of all UNIX flavors
We can't afford to do this.
sudo is our huckleberry.

My $0.02,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Alzhy · ‎02-10-2006

And that is actually slowly changing Jeff as more and more CIO/IT leaders are being promoted from the "ranks" - so they "know".

And with today's OSes and RDBMSes starting to get to be easily managed and with an abundance of tools - these new breed of CIOs/IT leaders actually know what is really required in an Organization and what each staff can actually do. In organizations I consult with - I have seen SysAdmin to Servers Ratio drop from 1:5 to 1:50 in the last five years. I've also seen consolidation of roles like - ersthwhile Storage Admin, Network Admin and UNIX System Admin positions now being handled by a lone person. And DBA's are increasingly provided with UNIX Admin and Storage Admin skills and roles as well.

Hakuna Matata.

Ken_109 · ‎02-10-2006

Eric,

I respectfully disagree.. Specialization is everything. To prove my point.. An oracle recover is SCN based not time based, you can choose to recover to a point in time of course.

Without knowing the details of your recovery situation I'd say that your data loss of 1 day was most probably avoidable...

Send me your configuration and details and I'll be happy to review it for availability.

kennethinbox-forums@yahoo.com

Ken

Eric Antunes · ‎02-10-2006

Ken,

That is not the subject of this thread but, the SCN recovery would have only give me 100 minutes of data more (a few material transactions and a dozen of documents) since the corruption happened at 10H40 AM. But I'm considering the SCN (archivelog mode) recovery for other reasons...

Best Regards,

Eric Antunes

Each and every day is a good day to learn.

Rory R Hammond · ‎02-10-2006

The real issue for financial systems is SOX Segregation of Duties.

We would fail SOX if the ORACLE DBA had Root privileges. OR if the Superuser had DBA privileges.

Rory

There are a 100 ways to do things and 97 of them are right

Pete Randall · ‎02-10-2006

Geoff,

It's a good thing that you spelled out that you weren't interested in opinions!!

;^)

Pete

(N/A, please)

Pete

Yogeeraj_1 · ‎02-10-2006

hi,

with Oracle 10g and ASM/OMF, you don't need any special privileges for the DBA.

DBAs no longer need to manage files and drives individually. Instead, disk groups can be created consisting of disks and their assigned files.

Essentialy, the combination of OMF and ASM eliminates the need for a DBA to specify the file name and location for the physical database files when creating a new database, as well as in other database operations - you simply identify the destination disk group, and oracle takes care of the rest. ASM can also be extended to support other administrative procedurees, including backup/recovery and disk management.

I find the diskgroup concept very interesting such that diskgroup is like a logical volume, like a filesystem but only for database files.

It is said that "ASM is for DBA's for managing database data what Filesystems are for SA's for managing disk"

hope this helps!

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Yogeeraj_1 · ‎02-10-2006

hi again,

see also metalink Note:265633.1
Subject: ASM Technical Best Practices

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Best practices with Oracle and root access

Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access

Re: Best practices with Oracle and root access