Sudo configuration – allow a limited subset of commands to be run as Oracle

We currently create dba group users for our POC customers. While this allows them to do basic dba commands (and get themselves into trouble) it does prevent them from doing several things that can cause them to ask for assistance.

Mainly, these tasks are things like starting/stopping dbconsole and running srvctl.

The ‘mts’ user in this example was created with primary group membership of oinstall, secondary group dba

Use visudo to edit the /etc/sudoers file

[root@ed2hcomp06 ~]# visudo

Find the line for ‘env_reset’ and comment it out.

Find the line for ‘env_keep’ and add the Oracle environment items to the list. ORACLE_BASE, ORACLE_HOME, ORACLE_SID, ORACLE_UNQNAME

#Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY ORACLE_HOME ORACLE_SID ORACLE_BASE ORACLE_UNQNAME"

Add a line to add the mts user to the alias for Oracle command users (you can alias multiple users here,just make a comma separated list)

User_Alias      USR_ORCL_ADMIN  =       mts

Add a line allowing the USR_ORCL_ADMIN group can run the command alias CMD_ORCL_ADMIN commands as oracle, without a password

USR_ORCL_ADMIN  ALL=(oracle)    NOPASSWD:       CMD_ORCL_ADMIN

Create the command alias and populate it with the commands you want them to be able to run as Oracle

Cmnd_Alias      CMD_ORCL_ADMIN=/u01/app/11.2.0/grid/bin/srvctl, \
/u01/app/11.2.0/grid/bin/crs_getperm, \
/u01/app/oracle/product/11.2.0/dbhome_1/bin/srvctl, \
/u01/app/oracle/product/11.2.0/dbhome_1/bin/emctl, \
/u01/app/11.2.0/grid/bin/emctl

Save your file in visudo and exit. You’ll get some informational messages to the screen and any errors if your commands were not correctly formatted

"/etc/sudoers.tmp" 104L, 3568C written
visudo: Warning: unused Cmnd_Alias DELEGATING
visudo: Warning: unused Cmnd_Alias DRIVERS
visudo: Warning: unused Cmnd_Alias LOCATE
visudo: Warning: unused Cmnd_Alias NETWORKING
visudo: Warning: unused Cmnd_Alias PROCESSES
visudo: Warning: unused Cmnd_Alias SERVICES
visudo: Warning: unused Cmnd_Alias SOFTWARE
visudo: Warning: unused Cmnd_Alias STORAGE

Now your user should be able to run commands

[mts@ed2hcomp05 ~]$ sudo -u oracle emctl status dbconsole
Oracle Enterprise Manager 11g Database Control Release 11.2.0.2.0
Copyright (c) 1996, 2010 Oracle Corporation.  All rights reserved.
https://ed2hcomp05.ssclabs.net:5501/em/console/aboutApplication
Oracle Enterprise Manager 11g is running.
------------------------------------------------------------------
Logs are generated in directory /u01/app/oracle/product/11.2.0/dbhome_1/ed2hcomp05_JASPER/sysman/log

Risks – well if you give someone access to srvctl they could possibly stop a database that does not belong to them – but this is a risk for *any* dba group user.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s