Say, I have an oracle directory and granted to user 'scott'
CREATE OR REPLACE DIRECTORY dataFolder AS '/data/';
GRANT READ, WRITE ON DIRECTORY dataFolder TO scott;
Then, I have a shell script say ExtractData.sh which uses UTL_FILE to convert BLOB data from database to physical files stored in the above directory dataFolder.
However, due to security concern in server, this /data/ directory is only given 770 permission, hence causing my script fails to write file into the directory.
But, when I change the permission to 777, script successfully writes file.
How to solve this by not giving 777 permission?
You failed to mention the owner of the directory.
Use a directory owned by oracle or in the osoper or dba group and you won't need 777 permissions. Apparently the directory is owned by root or some other user, so owner and group bits aren't helping you.
You can use chown to change ownership.
chown oracle:osoper /data
Just make sure you are aware of other programs accessing /data, if you change ownership make sure to adjust privs accordingly.
Related
ORA-39001: invalid argument value
ORA-39000: bad dump file specification
ORA-31640: unable to open dump file "/nav_db_dir/cmODF_odf_nav_db/ashsahu/gabq418/RDF_ANT_181G0/RDF_WTA_181G0_ANT.dmp" for read
ORA-27037: unable to obtain file status
Linux-x86_64 Error: 2: No such file or directory
Additional information: 3
Below is my command I have created directory DirectoryName Path directoryObject /import/datatest
impdp username/password#sid table_exists_action=REPLACE tables=SCHMEA.TABLE1,SCHMEA.TABLE2, SCHMEA.TABLE3, SCHMEA.TABLE4, SCHMEA.TABLE5 DIRECTORY=directoryObject remap_schema=SCHMEA:username remap_tablespace=SCHMEA_DA:username_DA dumpfile=file.dmp exclude=grant nologfile=y
And I have given the full access to this directory using chmod 777 /import/datatest (rwxrwxrwx) –
You should have posted the whole IMPDP command.
I suspect that you misunderstood/misused the DIRECTORY parameter.
It is an Oracle object, created by SYS, and is only (generally speaking) a "pointer" to a physical directory on the database server's hard disk. After it is created, SYS should give you (i.e. the user which is running the IMPDP command) read (and, possibly, write) privileges on that directory.
Then you'd use it as
impdp scott/tiger#orcl directory=IMP_DIR dumpfile=mydump.dmp logfile=imp.log
----- -------
is granted READ privilege |
directory object
Finally, mydump.dmp (or whatever its name is) must reside in that directory on the server.
To add to what #Littlefoot said
Example:
Create directory datapump as '/import/datatest';
Grant read,write on directory datapump to scott;
And then the dump file should reside # /import/datatest
Make sure also that the username that Oracle is running as, let's say "oracle", has access to both the "/import" directory, and the "/import/datatest" directory. Make sure that the user can "cd" into /import/datatest
I have a folder with drwxrwxr-x permissions, where the owner is uploading his own files.
I want to upload on that directory a readme file. The owner of the folder shouldn't have the right to delete that file. How I can do that? What rights should I set for the directory & for the file.
There are ways of doing this with ACLs, but the easiest way, if your OS supports it, is to make readme an immutable file. A file with the immutable flag can't be modified, deleted, or renamed, even by the owner or the owner of the containing directory. On Linux, this would be done with sudo chattr +i /path/to/directory/readme. On Linux, not even the owner of a file can remove the immutable flag (well, unless the owner can run a process with the CAP_LINUX_IMMUTABLE capability).
The file should have drwxr--r--, this way only you, the owner of the file, have the ability to delete it.
chmod 744 <file>
With the help of Stack Overflow, I've been able to export a dump file of my database from my local machine. The command I used is as follows:
host expdp tkcsowner/tkcsowner#xe version=10.2 schemas=tkcsowner dumpfile=tnrg.dmp logfile=tnrg.log
Now, my local machine has the OS Windows 7, 32-bit. Hardly a server. It's got Oracle 11g. I want to transfer it to another machine, the test server, running Linux. It has Oracle 10g.
I am in no way a Linux / Unix expert, but I do have some instructions left for me by the previous person who handled such.
First, I change privileges to root user via 'su -' - No problems there.
Log in as 'sqlplus /nolog', and then 'connect sys/sys#xe as dba' - No problems there, either.
I created a logical dump directory (not sure if this step is needed, but I did it anyway):
create or replace directory dumpdir as 'usr/lib/oracle/xe/app/oracle/admin/XE/dpdump';
Done, no problems.
So I take it TNRG.dmp and tnrg.log should be inside that directory. Unfortunately, it could not be copied, for some reason. Access denied. I figured I should log out, log in as root, and copy the stuff from there. It worked, but just to be safe, I logged out of the root, logged back in as my normal user, and did everything above again. D'oh.
Finally, with all the stuff in place, now comes the time to import the .dmp and .log. Huzzah!
impdp tkcsowner/tkcsowner#xe schemas=tkcsowner dumpfile=TNRG.dmp logfile=tnrg.log
Lo and behold, it asks for a username and password. Is it because tkcsowners does not exist on the 10g database? Anyway, I put in 'system' for both. It continued, but warning bells already set off in my head.
Suddenly:
Connected to: Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
ORA-39002: invalid operation
ORA-39070: unable to open the log file.
ORA-29283: invalid file operation
ORA-06512: at "SYS.UTL_FILE", line 475
ORA-29283: invalid file operation
At which point, I'm not sure how to proceed. I went into the directory via the command line, and ls -l'ed the contents, showing that both the .dmp and .log have three rwx's, for root. What I have yet to try was to run the entire operation while logged in as root, but I'm not sure how that would change anything.
The directory that your dumpdir database directory object points to needs to be a valid existing directory - at least by the time you use it, it won't check or complain when you create the object - and it needs to be readable and writable by the user that Oracle is running under, which is usually oracle.
Your initial directory creation had 'usr/lib/oracle/... rather than '/usr/lib/oracle/..., but even with that corrected the directory might not be usable by the oracle account. Since you created the directory as root, it is probably still owned by root:root and with permissions 700 (if you do ls -ld /usr/lib/oracle/xe/app/oracle/admin/XE/dpdump that will show as drwx------).
You need to change that to be owned by Oracle, using the correct owner and group - that's probably oracle:dba or oracle:oinstall, but check the owner of the XE directory. And then change the ownership of the directory and the files you copied into it:
chown -R oracle:dba /usr/lib/oracle/xe/app/oracle/admin/XE/dpdump
and set the directory permissions to a suitable level; if you don't want anyone else to create or modify files, but you don't mind them seeing what's there, then something like:
chmod 755 /usr/lib/oracle/xe/app/oracle/admin/XE/dpdump
If you want to be able to copy your .dmp file in as yourself (not root or oracle) and you aren't in the dba group then make it 777. You said the files you copied are 777, which is a little odd as they aren't executable, and could currently be removed by anyone; again to make them just readable:
chmod 644 /usr/lib/oracle/xe/app/oracle/admin/XE/dpdump/*
You don't need the export log from the other system though, just the dump file itself. The logfile parameter for impdp will create a log of the import process; since you used the same file name it will overwrite the export log you copied across. THat probably doesn't matter since you still have the original, but something to watch for in the future. It does mean the existing log file has to be writable by oracle though.
You also need to make sure the Oracle owner has appropriate access to the whole directory tree, but it seems likely that they already own XE so I don't think that's an issue here. You shouldn't really need to do any of this as root. If you don't have the oracle password you can su to the account from root anyway, which remove the need to manually change ownership later.
The impdp command is initiated from outside Oracle (probably with root in your case) but mainly executed by the Oracle server processes. In particular, the dump and log files are directly access by the Oracle server processes (and not by the initiating command). As a result, the file protection need to be set such that the oracle user can access them.
So execute the following (as root) and try again:
chown -R oracle:oinstall /usr/lib/oracle/xe/app/oracle/admin/XE/dpdump
I have used chmod 0000 on a directory yet the directory can still be renamed. How can I prevent a user from modifying the name of a directory?
Removing write permission on the parent directory should do the trick.
If you own a file (or directory) you can still perform various operations on it regardless of permissions including mv, rm and chmod. Other users cannot perform these options based on write permissions. If you want to prevent the owner from moving the directory, you can't. The owner can always use chmod on the file. The only solution would be to change the owner of the file or move the file under a write-protected directory that the user does not own.
I have a file created by oracle user with permission rw-r--r-- and the parent folder has rwxrwsr-x permission. Now, there is a requirement for batch user to edit this file. But, as you can see, the file can be edited only by the owner i.e Oracle user.
I tried using chmod command to change the permission of the file but batch user is not having permission to execute this command.
Is there any fix for this issue?
Can we do some configuration in UNIX so that it allows batch user to edit the file created by oracle user.
Edit: Corrected the parent folder permission. Earlier i mentioned it as rwxrw-r-x
The directory permissions for 'group' (rw-) are unusual (rwx or r-x would be more usual).
You don't identify which group the file belongs to, nor which group the directory belongs to, nor which group(s) the batch user belongs to, but it probably doesn't matter.
Update after quoted permissions on directory changed: Given that the group can read the file, and create files in the directory, then if your batch user belongs to the group that owns the directory, the batch user can make a copy of the file (in the editor), remove the original file, and write back a new file in the directory.
Does your system support ACLs (access control lists)? If so, then the 'oracle' user as the file owner could grant the batch user read/write access to the file even though the normal Unix permissions don't show that it could happen.
Can you persuade the 'oracle' user to create the file belonging to an appropriate group (one which the batch user also belongs to) and with appropriate group permissions.
If nothing works there, then you are reduced to SUID programs in some shape or form - maybe SUID 'oracle' or SUID 'root'. One option was mentioned in a comment - the sudo command with some vaguely appropriate arguments.
I notice you have the +s bit set on the directory.....
if you change the directory owner to that of the batch user the owner of any newly created files should be owned by that user and you can then do what you want with them
If your batch user is in the same group as the oracle user, you can do this:
chmod g+w filename
This should make the file writable for the group.
Run the UNIX command groups to determine which groups a user is in, or check /etc/passwd, /etc/group