Re: Oracle instance startup user on Unix

  • From: Paul Drake <bdbafh@xxxxxxxxx>
  • To: rob.langmuir@xxxxxxxxxxxxxxx
  • Date: Wed, 13 Jul 2005 12:10:30 -0400

On 7/13/05, RSL <rob.langmuir@xxxxxxxxxxxxxxx> wrote:
> We have a third-party application, which as part of installation process,
> uses it's own Unix account to create/startup Oracle database/instance. They
> also want to start a listener with this account.
> 
> In the future we plan to add our own instances/databases, and these will all
> be started/created using Oracle account.
> 
> 
> I don't much like the idea of having two separate unix accounts involved in
> creating database(s) and starting instances.
> 
> Although there is no practical reason why this can't be done, can you please
> offer any reasons why you wouldn't /shouldn't do this.
> 
> Thanks..../Bob

Bob,

Since you are supporting multiple databases on a single server, I
highly recommend the use of different accounts owning different
databases and their filesystems so that privilege separation can be
used. In this matter, a cloning exercise of a test database from
production can be carried out under the credentials of an account that
has read permissions on the backup staging directory (user-managed
"hot" backup) and its archived redo logs - without the ability to
write to the filesystems of the production databases.

Have you ever heard of a dba running a CREATE CONTROLFILE script for a
test database that was edited less than perfectly ... overwriting the
production database's datafiles?
With privilege separation using separate accounts, this is not possible.

Its tempting to connect as a account that has dba privs on all
databases ... and one might not ever make a mistake that privilege
separation could have prevented. I can tell you that it saved my
behind on one occassion - and it would have prevented me from trashing
a datafile of a production database when I was in a hurry (and was
sloppy). That happened once and will not happen again.

Paul
--
//www.freelists.org/webpage/oracle-l

Other related posts: