Oracle May 2, 2012 0

Oracle user account in Linux visudo good practice

Main user for most of the oracle products, especially for Oracle Database installations is an oracle user account. Oracle-validated package does create such account automatically with proper group membership configuration and “random” unknown password.

In Linux world (following good practice rules) we all have our own, personal and dedicated user accounts which belongs to the particular system groups. For example, employees performing DBA role within an organization would have an account which belongs to “dba”, “wheel” and other custom groups. Most of the organizations are dealing with massive OS and database installations which also have “oracle” accounts configured, but always the password of the oracle account should stay unknown to all users.

But how to switch to oracle user when we don’t know the password? Simply – using power of sudo, su in combination with sudoers.
But first particular account needs to be configured to have sufficient privileges to switch to oracle and other users either with or without providing their own (not root or oracle accounts’ passwords) passwords when switching.

Imagine we are a dba within an organization and we have a new account “fred” created in Linux OS.

[root@test-host ~]# useradd -m -n fred 
[root@test-host ~]# passwd fred Changing password for user fred. 
New UNIX password: BAD PASSWORD: it is based on a dictionary word 
Retype new UNIX password: passwd: 
all authentication tokens updated successfully. 
[root@test-host ~]# id fred uid=54322(fred) gid=100(users) groups=100(users) 
[root@test-host ~]#

As we can see user fred belongs to group “users” by default.

Let’s make that user also belong to “dba” group:

[root@test-host ~]# usermod -g users -G dba fred  
[root@test-host ~]# id fred 
uid=54322(fred) gid=100(users) groups=100(users),54322(dba)

Now user fred belongs to the following groups: users, dba

Let’s try to switch to oracle account using sudo:

[fred@test-host ~]$ sudo su - oracle

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for fred:
fred is not in the sudoers file. This incident will be reported.
[fred@test-host ~]$

Fred is not in the sudoers file…

In this case we have to edit /etc/sudoers file in order to allow users belongs to “dba” group switching to an oracle account:

NOTE: It’s highly recommended to use visudo command to edit sudoers file.

execute visudo (not vi) command and find the following lines

(file is being edited in vi editor – vi how-to):

## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL

Press “i” and add the following line in order to allow users who belong to dba group to run all commands:

%dba ALL=(ALL) ALL

Now all users who belong to “dba” group are allowed to run all commands also as a root user:

[fred@test-host ~]$ sudo su - oracle 
[sudo] password for fred:******* 
[oracle@test-host ~]$ 

[fred@test-host ~]$ sudo su - root 
[root@test-host ~]#

Not safe isn’t it? To restrict access to “root” account, change to the following rules:

%dba ALL = /bin/su - oracle, !/bin/su *root*

From now on users in dba group are allowed to switch to an oracle account (and still can sudo to other user accounts) but no longer to the root account.

[fred@test-host ~]$ sudo su - root 
Sorry, user fred is not allowed to execute '/bin/su - root' as root on 

[fred@test-host ~]$

If we would like to allow particular users to be able to switch to the “root” account (admins within an organization) do uncomment line with the “wheel” group definition and add particular user to the “wheel” group using usermod command.

So far, users must provide their password each time when switching to another account. Here is how to allow users to sudo to other accounts without providing their password:

Cmnd_Alias DBALIMIT = /bin/su - oracle, !/bin/su *root*