After Linux is installed and
rebooted, information screens walk you through the license information
and an option to create a user. Taking this opportunity to create
another user besides root is a recommended practice. This is because the
Oracle user is needed along with groups for the Oracle software
inventory and dba group. Oracle software should be installed under the
Oracle user created here, but additional users can also be created now,
as needed, for supporting different pieces of the software or for
different options that may be installed.
Figure 1 shows the creation of groups using command line in the terminal window
that is needed for Oracle installs. The groups are created using the
groupadd command and then associated with a user id using usermod with
the listed parameters and options. Also seen in this figure are the ways
that the passwords for the user can be easily changed with the passwd
command. Adding another ID, such as osasm to manage the Automatic
Storage Management instance, can be accomplished with the command
useradd.
The users and groups can be
reviewed and managed using the User Manager in System Tools. This
interface is also available for creating new users and for associating
the groups to the user instead of using the command line in the terminal
window. Any users created using this tool and even the users created by
the command line, as in Figure 2-4,
also have a home directory that is created for them at the same time
they are created. The Add User and Add Group in the User Management Tool
do the same task as the useradd and groupadd commands; the tools in
Linux make it easy to perform these tasks in a way that is most
familiar, with either the command lines or user interfaces.
| Q: | Are there security concerns with adding users? Do you really need any other users besides root and oracle? | | A: | Security
for the operating system is important. Make sure that logins are
created for users to install the Oracle software and that additional
users are created for the purpose of allowing database administrators to
log in and maintain Oracle and the database. Anyone logging into the
system should have their own user ID; use of the Oracle login should be
limited to installation and patching of the software. Different users
should have permissions to access only areas that they should be allowed
to access in order to perform tasks as needed. File system permissions
should only be granted to the groups and users that need the access, and
should be limited where possible. Research best practices for security
and don’t share logins or root passwords. Keep the environment secure by
limiting access to the Oracle software directories; make sure it is not
open to just any user who is able to log into the server. |
|
The Oracle user needs
certain other permissions along with resource permissions for the
software to run well. This is done by adding the Oracle user to the
/etc/security/limits.conf and session information to the
/etc/pam.d/login file. The file limits.conf, as listed next, shows that
the Oracle user has been added with resources to nproc and nofile
parameters at the end of the file. These files can be edited with
Notepad or a similar editing program when you open the files by using
Explorer windows:
limits.conf file:
#<domain> <type> <item> <value>
#
oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 65536
# End of file
/etc/pam.d/login file:
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_security.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required /lib/security/pam-limits.so
session required pam_limits.so
Now
the operating system is installed and users and groups are created and
configured with the needed permissions. You still need to verify (and
possibly update) some configurations needed by the kernel parameters so
that they match at least the minimum requirements for Oracle. The Oracle Quick Installation Guide
is the reference for these requirements. We hope that you are starting
to see the importance of these documents and why these pieces of
information should be gathered before you start the installs.
