oracle程序放在$ORACLE_HOME/bin目录下,其权限设置了SUID和SGID,默认的执行权限为6751。
oracle@sunvs-a@/oracle/oracle/product/10.2.0.1/bin $ ls -l oracle
-rwsr-s--x 1 oracle oinstall 119033912 2月 18日 11:24 oracle
设置SUID和SGID的原因是期望非oracle用户在执行相关命令时,拥有oracle用户和组的权限,相关的设置可以通过man chmod查看。简单总结一下:
SUID 4000
SGID 2000
Sticky bit 1000
设置了SUID和SGID标志位后,需要设置对应的执行权限(u+x、g+x),否则该标志位不会生效,用ls –l看时使用大小写字母“s”区分。
|
SUID |
If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. Examples: |
|
SGID |
If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples: |
|
Sticky |
If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples: |
关于Sticky bit,说明如下:
“When the sticky bit is turned on for a directory users can have read and/or write permissions for that directory, but they can only remove or rename files that they own. The sticky bit on a file tells the operating system that the file will be executed frequently. Files like this are kept in swap space even when they aren’t being executed. Although this takes up swap space it greatly reduces the time it takes to execute the program. Some programs such as vi have the sticky bit turned on by default on some Unixes.”
在UNIX系统下,/tmp目录设有Sticky bit:
oracle@ibmvs_a@/ $ ls -ld tmp
drwxrwxrwt 31 bin bin 24576 Jun 22 13:27 tmp
对于$ORACLE_HOME/bin/oracle程序,如果修改了该文件的权限,将会导致非oracle用户无法sqlplus本地登录。
[oracle@localhost bin]$cd $ORACLE_HOME/bin
[oracle@localhost bin]$ ls -l oracle
-rwsr-s--x 1 oracle oinstall 93362227 01-20 13:28 oracle
[oracle@localhost bin]$ chmod 777 oracle
[oracle@localhost bin]$ ls -l oracle
-rwxrwxrwx 1 oracle oinstall 93362227 01-20 13:28 oracle
此时使用非oracle用户本地登录时会出现报错
localhost.localdomain(jzfe)/home/jzfe>uname -a
Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
localhost.localdomain(jzfe)/home/jzfe>echo $ORACLE_SID
oracle10gwk
localhost.localdomain(jzfe)/home/jzfe>id
uid=500(jzfe) gid=502(oinstall) groups=502(oinstall),503(dba)
localhost.localdomain(jzfe)/home/jzfe>sqlplus jzdb/jzdb
SQL*Plus: Release 10.2.0.1.0 - Production on Mon Jan 24 11:52:13 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01034: ORACLE not available
ORA-27123: unable to attach to shared memory segment
Linux Error: 13: Permission denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
localhost.localdomain(jzfe)/home/jzfe>
使用tns别名可正常登录
localhost.localdomain(jzfe)/home/jzfe>sqlplus jzdb/jzdb@oracle10gwk
SQL*Plus: Release 10.2.0.1.0 - Production on Mon Jan 24 11:52:28 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
SQL>
SQL> Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
localhost.localdomain(jzfe)/home/jzfe>
localhost.localdomain(jzfe)/home/jzfe>
另外,在Solaris 10下的$ORACLE_HOME/bin目录还有其他文件,设置了SUID和SGID:
oracle@sunvs-a@/oracle/oracle/product/10.2.0.1/bin $ ls -l|grep ^...s
-rwsr-s--x 1 oracle oinstall 56904 2月 18日 11:08 emtgtctl2
-rwsr-x--- 1 root oinstall 28832 2月 18日 11:25 extjob
-rwsr-s--- 1 root oinstall 15556 2月 18日 11:08 nmb
-rwsr-s--- 1 root oinstall 16468 2月 18日 11:08 nmo
-rwsr-s--x 1 oracle oinstall 119033912 2月 18日 11:24 oracle
-r-sr-s--- 1 root oinstall 185304 2006 2月 20 oradism