Advanced Oracle Utilities: The Definitive Reference by Rampant
TechPress is written by top Oracle database experts (Bert Scalzo, Donald Burleson, and Steve Callan). The following
is an excerpt from the book.
In UNIX, a user named oracle is
generally created to become the owner of the Oracle software on the UNIX
server.
In addition to the oracle user, other UNIX
users may be created and granted access to certain oracle files on the
server. First on the menu is how UNIX manages user IDs and groups.
UNIX group
management
Groups are defined in a file
called /etc/group. Each
line of the /etc/group file contains group data separated by a colon
“:”. This file defines each group and contains the following values:
group name
: group_nbr
: members of the group
root> cat /etc/group
root::0:root
bin::2:root,bin,daemon
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
daemon::12:root,daemon
dba::102:oracle,oradev
mysql::104:
Now see how user information is stored inside UNIX.
UNIX user management
UNIX users are controlled by a
special file called /etc/passwd.
This file contains a series of strings
separated by colons “:”.
The values are:
username
: password
: user_nbr :
group_nbr : default
shell
root> cat /etc/passwd
oracle:x:108:102::/export/home/oracle:/bin/ksh
oradev:x:109:102::/export/home/oradev:/bin/ksh
From the above listing, it can be determined that the
oracle user has a encrypted password in /etc/shadow, that they are user
108, and they are in group 102.
The oracle user has /export/home/oracle for a home directory, and
they are using the Korn shell as a default shell.
For some people, the John the Ripper tool, explained later, meets
the definition of a utility. But for the purposes of this book, it
definitely does not.
UNIX passwords on
Oracle servers
UNIX passwords are extremely
vulnerable to hacking. Users can
change their passwords by invoking the passwd command.
Note that the listing of /etc/passwd does not contain the
encrypted passwords for the user IDs, and the password column is denoted
with an “x”. This indicates
that the system administrator is storing the passwords in another
special file called /etc/shadow.
However, protecting passwords
in a /etc/shadow file is not always enough to ensure security.
Several tools such as John the Ripper can be used to easily crack
into these UNIX files, stealing access to the Oracle server and all
database data. To learn how
to protect a UNIX password from hacking, see the UNIX password cracker
at http://www.openwall.com/john/.
UNIX connectivity for Oracle
When the Oracle DBA creates the tnsnames.ora file to
define remote databases, they often specify the host name of the foreign
server that contains the remote Oracle database instead of the TCP/IP
address. For example, an
entry in the tnsnames.ora file for a remote database might look like
this:
kc =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = TCP)
(PROTOCOL = TCP)
(HOST
= gates)
(PORT
= 1521)
)
)
(CONNECT_DATA
= (SID = bbq))
)
This
shows a TNS service name of kc, which defines a connection to a remote
server named gates, that contains an Oracle database named bbq. When a
remote connection request is made from the UNIX server, the /etc/hosts
file is accessed to get the IP address for the gates server.
From the listing below, it shows that the
gates server is located at 192.133.13.12.
In sum, the /etc/hosts file is used to
isolate the IP address from the tnsnames.ora file.
If the IP address should ever change, the
UNIX systems administrator only needs to change the IP address in one
place.
192.133.13.22
gates
gates.com
192.144.13.22
dopey dopey.com
Many of the UNIX commands
used to manage an Oracle database are similar, or at times, even
identical to the Windows commands.
