Skip to content

Permissions for Oracle binaries and files – reference article for the new Oracle DBA




You are a new oracle dba and you would like to know which  permissions you need to give to oracle binaries and you want to understand how to read correctly the permissions assigned to a file on an unix system. This article will give a detailed explanation.

Changing the permissions

  Directory/Files                              Permissions

All database,redo log,and control files          640

$ORACLE_HOME/bin/oracle                         6751

All other executables in the $ORACEL_HOME/bin    751 or 755
and the files within this directory

Library directory                                644
$ORACLE
_HOME/LIB and the files
within this directory

Product library subdirectories,such as           644
$ORACLE
_HOME/rdbms/lib and
$ORACLE
_HOME/proc/lib and the files
within these directory

Administration,.sql and shell scripts            644    
in the product administration subdirectories
$ORACLE
_HOME/rdbms/admin  and
$ORACLE
_HOME/sqlplus/admin

thus,your oracle system can have these right permissions.

 

Understanding file permissions on Unix: a brief tutorial

(For files on AFS fileservers, see below)


Every user on a Unix system has a unique username, and is a member of at least one group (the primary group for that user). This group information is held in the password file (/etc/passwd). A user can also be a member of one or more other groups. The auxiliary group information is held in the file /etc/group. Only the administrator can create new groups or add/delete group members (one of the shortcomings of the system).

Every directory and file on the system has an owner, and also an associated group. It also has a set of permission flags which specify separate read, write and execute permissions for the ‘user’ (owner), ‘group’, and ‘other’ (everyone else with an account on the computer) The ‘ls’ command shows the permissions and group associated with files when used with the -l option. On some systems (e.g. Coos), the ‘-g’ option is also needed to see the group information.

An example of the output produced by ‘ls -l’ is shown below.

drwx------ 2 richard staff  2048 Jan  2 1997  private
drwxrws--- 2 richard staff  2048 Jan  2 1997  admin
-rw-rw---- 2 richard staff 12040 Aug 20 1996  admin/userinfo
drwxr-xr-x 3 richard user   2048 May 13 09:27 public

Understanding how to read this output is useful to all unix users, but especially people using group access permissions.

Field 1:   a set of ten permission flags.
Field 2:   link count (don’t worry about this)
Field 3:   owner of the file
Field 4:   associated group for the file
Field 5:   size in bytes
Field 6-8: date of last modification (format varies, but always 3 fields)
Field 9:   name of file (possibly with path, depending on how ls was called)

The permission flags are read as follows (left to right)

position Meaning
1 directory flag, ‘d’ if a directory, ‘-‘ if a normal file, something else occasionally may appear here for special devices.
2,3,4 read, write, execute permission for User (Owner) of file
5,6,7 read, write, execute permission for Group
8,9,10 read, write, execute permission for Other
value Meaning
in any position means that flag is not set
r file is readable by owner, group or other
w file is writeable. On a directory, write access means you can add or delete files
x file is executable (only for programs and shell scripts – not useful for data files). Execute permission on a directory means you can list the files in that directory
s in the place where ‘x’ would normally go is called the set-UID or set-groupID flag.

On an executable program with set-UID or set-groupID, that program runs with the effective permissions of its owner or group.

For a directory, the set-groupID flag means that all files created inside that directory will inherit the group of the directory. Without this flag, a file takes on the primary group of the user creating the file. This property is important to people trying to maintain a directory as group accessible. The subdirectories also inherit the set-groupID property.

The default file permissions (umask):

Each user has a default set of permissions which apply to all files created by that user, unless the software explicitly sets something else. This is often called the ‘umask’, after the command used to change it. It is either inherited from the login process, or set in the .cshrc or .login file which configures an individual account, or it can be run manually.

Typically the default configuration is equivalent to typing ‘umask 22’ which produces permissions of:

-rw-r--r-- for regular files, or
drwxr-xr-x for directories.

In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories.

When working with group-access files and directories, it is common to use ‘umask 2’ which produces permissions of:

-rw-rw-r-- for regular files, or
drwxrwxr-x for directories.

For private work, use ‘umask 77’ which produces permissions:

-rw------- for regular files, or
drwx------ for directories.

The logic behind the number given to umask is not intuitive.

The command to change the permission flags is “chmod”. Only the owner of a file can change its permissions.

The command to change the group of a file is “chgrp”. Only the owner of a file can change its group, and can only change it to a group of which he is a member.

See the online manual pages for details of these commands on any particular system (e.g. “man chmod”).

Examples of typical useage are given below:

chmod g+w myfile

give group write permission to “myfile”, leaving all other permission flags alone

chmod g-rw myfile

remove read and write access to “myfile”, leaving all other permission flags alone

chmod g+rwxs mydir

give full group read/write access to directory “mydir”, also setting the set-groupID flag so that directories created inside it inherit the group

chmod u=rw,go= privatefile

explicitly give user read/write access, and revoke all group and other access, to file ‘privatefile’

chmod -R g+rw .

give group read write access to this directory, and everything inside of it (-R = recursive)

chgrp -R medi .

change the ownership of this directory to group ‘medi’ and everything inside of it (-R = recursive). The person issuing this command must own all the files or it will fail.

WARNINGS:

Putting ‘umask 2’ into a startup file (.login or .cshrc) will make these settings apply to everything you do unless manually changed. This can lead to giving group access to files such as saved email in your home directory, which is generally not desireable.

Making a file group read/write without checking what its group is can lead to accidentally giving access to almost everyone on the system. Normally all users are members of some default group such as “users”, as well as being members of specific project-oriented groups. Don’t give group access to “users” when you intended some other group.

Remember that to read a file, you need execute access to the directory it is in AND read access to the file itself. To write a file, your need execute access to the directory AND write access to the file. To create new files or delete files, you need write access to the directory. You also need execute access to all parent directories back to the root. Group access will break if a parent directory is made completely private.


AFS Access Control Lists (ACLs)

Files on the central AFS fileservers all have the traditional Unix permissions as explained above, but they are also controlled by Access Control Lists (ACL) which take precedence. They provide access levels more flexible than the user/group/other attribute bits, but they work on the level of complete directories, not files. The command to set and list ACLs is fs.
“fs” is a big ugly command that does lots of things related to AFS filesystems depending on the arguments you call it with.

For details see the man pages for: fs_setacl, fs_listacl, fs_cleanacl, fs_copyacl

For brief help, do (e.g.) “fs help setacl”

The default is to give the same permissions to a new directory as are on the parent directory. In practice, this is usually to give complete rights to the owner of the directory, and lookup rights to any other user (equivalent to execute attribute on a directory).

To render a directory private, the simplest command is:

fs setacl -d DIRNAME -clear -a MYNAME all

– replace DIRNAME with the appropriate directory name (or “.” for the current directory, and MYNAME with your login name.

Check it with:

fs listacl DIRNAME

It should reply with:

Access list for DIRNAME is
Normal rights:
  USERNAME rlidwka

(see man fs_setacl for a description of the meaning of the flags “rlidwka”)

To explicitly give public read/lookup access, use:

fs setacl -d DIRNAME -a system:anyuser read

This can be abbreviated to

fs sa DIRNAME system:anyuser read

If “fs” is not found, or the man pages are not found, your paths are not set up correctly. I recommend you run /usr/local/bin/mknewdotfiles to correct that.

 

 

DIFFERENT PERMISSION CODES

 

Numeric UNIX equivalent Owner Group Other
    read/write/execute read/write/execute read/write/execute
777 rwxrwxrwx
755 rwxr-xr-x
744 rwxr--r--
644 rw-r--r--

 

 

n     a number from 0 to 7. An absolute  mode  is  con-

                structed  from  the  OR  of  any of the following

                modes:

 

                4000  Set user ID on execution.

 

                20#0  Set group ID on execution if # is 7, 5,  3,

                      or 1.

 

                      Enable mandatory locking if # is 6,  4,  2,

                      or 0.

 

                      For directories, files are created with BSD

                      semantics  for propagation of the group ID.

                      With this option, files and  subdirectories

                      created  in the directory inherit the group

                      ID of the directory,  rather  than  of  the

                      current  process. For directories, the set-

                      gid bit may only be set or cleared by using

                      symbolic mode.

 

                1000  Turn on sticky bit. See chmod(2).

 

                0400  Allow read by owner.

 

                0200  Allow write by owner.

 

                0100  Allow  execute  (search  in  directory)  by

                      owner.

 

                0700  Allow read, write, and execute (search)  by

 

SunOS 5.9            Last change: 4 Dec 2000                    1

 

User Commands                                            chmod(1)

 

                      owner.

 

                0040  Allow read by group.

 

                0020  Allow write by group.

 

                0010  Allow  execute  (search  in  directory)  by

                      group.

 

                0070  Allow read, write, and execute (search)  by

                      group.

 

04            Allow read by others.

 

0002  Allow write by others.

 

                0001  Allow execute (search in directory) by oth-

                      ers.

 

                0007  Allow read, write, and execute (search)  by

                      others.

 

permission

           any compatible combination of the following letters:

 

           l     mandatory locking

 

           r     read permission

 

           s     user or group set-ID

 

           t     sticky bit

 

           w     write permission

 

           x     execute permission

 

           X     execute permission if the file is a directory or

                 if  there  is  execute permission for one of the

                 other user classes

 

           u,g,o indicate that permission is to be taken from the

                 current user, group or other mode respectively.

 

In a directory which has the set-group-ID bit set (reflected

     as either —–s— or —–l— in the output of ‘ls -ld’),

     files and subdirectories are created with  the  group-ID  of

     the parent directory-not that of current process.

 

 

Sridharà you can easily decode the permissions bits by knowing the permission code

 

For example 755 is rwxrwxrwx

 

Here is how it is calculated

 

The 7 stands for  2 ^0  + 2^1 + 2^2  = 1 + 2 + 4 =  x + w + r

 

So if you want number 7 , then all first 3 bits should be full .. i.e rwx

S 75 means  the first 3 bits should be full and second 3 bits should be filled in such a  way that the sum should add up to 5 ..so we can easily guess that the second 3 bits should be r-x  which means  2^2 + 0 + 2^0  = 4 + 0 + 1 = 5

 

So now

 

755 means , as we can easily guess  rwxr-wr-w

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Post a Comment

You must be logged in to post a comment.