>
Linux, Oracle, Technical

RAC File Permissions Quick Reference

I was just thinking today about how useful it might be to have a quick reference to permissions on Oracle RAC databases. Can’t tell you how many time I’ve asked “what should the permissions be for this”… so I’m just going to use this post for all the files I can think of and their default or recommended permissions. I’ll probably update this post as I think of other files and directories that I left out.

Often it is possible to restrict access to files and directories further than Oracle does by default and the database will still function fine. I am aiming to list the defaults or recommended values but would welcome any comments about more secure possibilities.

Object Owner:Group Perms Comments
OCR root:oinstall 640 Applies to both raw devices and cooked files.
Voting Disk oracle:oinstall 644 Raw devices or cooked file. Location of voting disks is specified in the OCR.
ASM spfile oracle:dba 640 Raw devices or cooked file.
Password File oracle:oinstall 640 Raw devices or cooked file.
Datafiles, Control Files, Redo Logs, etc. (OCFS) oracle:dba 640 These files are created automatically by Oracle and you should not need to change the permissions on them.
/dev files used by ASM oracle:dba 640 On linux the oracleasm package can take care of this for you but otherwise you need to make sure perms are set correctly.
 
/etc/oratab oracle:dba 664 In /var/opt/oracle on solaris.
/etc/oraInst.loc root:root 644 Specifies inventory location; also in /var/opt/oracle on solaris.
/etc/oracle/ root:oinstall 755 /var/opt/oracle on solaris.
/etc/oracle/ocr.loc root:oinstall 644
 
/u01/ root:root 755
/u01/app/ root:root 755
/u01/app/oracle/ oracle:oinstall 755 This is the ORACLE_BASE and the oracle user’s home directory in a fully OFA-compliant install. Should follow format /[constant][number]/app/[user].
/u01/app/oracle
 /product/10.2.0/db_1/
oracle:oinstall 755 ORACLE_HOME for database software
/u01/app/oracle
 /product/10.2.0/asm_1/
oracle:oinstall 755 ORACLE_HOME for asm; best practice is to install this second copy of software.
 
/u01/crs/ root:root 755 Clusterware should never be installed into ORACLE_BASE to avoid security vulnerabilities. As is illustrated here, all parent directories of the clusterware should be writable only by root.
/u01/crs/oracle/ root:root 755
/u01/crs/oracle
 /product/
root:root 755
/u01/crs/oracle
 /product/10.2.0/
root:root 755
/u01/crs/oracle
 /product/10.2.0/crs_1/
root:oinstall 755 ORA_CRS_HOME – owner must be oracle:oinstall before installation; root.sh will change ownership.

One final note: permissions need to be relaxed on a number of files if you intend to allow non-dba users who are logged into your system to use the database with tools such as SQLPlus. Oracle provides a script to do this for you: $ORACLE_HOME/install/changePerm.sh.

About these ads

About Jeremy Schneider

Doing stuff with Oracle Database, Performance, Clusters, Linux. about.me/jeremy_schneider

Discussion

3 thoughts on “RAC File Permissions Quick Reference

  1. Thanks – much appreciated!

    Posted by Kirstin Barth | August 15, 2007, 4:35 am
  2. Very useful ! Great idea to collect all permissions for RAC Installation etc.

    Posted by Kai | November 20, 2007, 10:31 am
  3. Great set of Information…..

    Posted by Raj | April 21, 2010, 4:41 pm

Disclaimer

(a) The views expressed on this website are mine alone and do not necessarily reflect the views of my employer.

about.me

Jeremy Schneider
Follow

Get every new post delivered to your Inbox.

Join 897 other followers

%d bloggers like this: