I was just thinking today about how useful it might be to have a quick reference to permissions on Oracle RAC databases. Can’t tell you how many time I’ve asked “what should the permissions be for this”… so I’m just going to use this post for all the files I can think of and their default or recommended permissions. I’ll probably update this post as I think of other files and directories that I left out.
Often it is possible to restrict access to files and directories further than Oracle does by default and the database will still function fine. I am aiming to list the defaults or recommended values but would welcome any comments about more secure possibilities.
|OCR||root:oinstall||640||Applies to both raw devices and cooked files.|
|Voting Disk||oracle:oinstall||644||Raw devices or cooked file. Location of voting disks is specified in the OCR.|
|ASM spfile||oracle:dba||640||Raw devices or cooked file.|
|Password File||oracle:oinstall||640||Raw devices or cooked file.|
|Datafiles, Control Files, Redo Logs, etc. (OCFS)||oracle:dba||640||These files are created automatically by Oracle and you should not need to change the permissions on them.|
|/dev files used by ASM||oracle:dba||640||On linux the oracleasm package can take care of this for you but otherwise you need to make sure perms are set correctly.|
|/etc/oratab||oracle:dba||664||In /var/opt/oracle on solaris.|
|/etc/oraInst.loc||root:root||644||Specifies inventory location; also in /var/opt/oracle on solaris.|
|/etc/oracle/||root:oinstall||755||/var/opt/oracle on solaris.|
|/u01/app/oracle/||oracle:oinstall||755||This is the ORACLE_BASE and the oracle user’s home directory in a fully OFA-compliant install. Should follow format /[constant][number]/app/[user].|
|oracle:oinstall||755||ORACLE_HOME for database software|
|oracle:oinstall||755||ORACLE_HOME for asm; best practice is to install this second copy of software.|
|/u01/crs/||root:root||755||Clusterware should never be installed into ORACLE_BASE to avoid security vulnerabilities. As is illustrated here, all parent directories of the clusterware should be writable only by root.|
|root:oinstall||755||ORA_CRS_HOME – owner must be oracle:oinstall before installation; root.sh will change ownership.|
One final note: permissions need to be relaxed on a number of files if you intend to allow non-dba users who are logged into your system to use the database with tools such as SQLPlus. Oracle provides a script to do this for you: $ORACLE_HOME/install/changePerm.sh.