UNIX: Do I Need To Use The "oinstall" Group?

Applies to:

Oracle Universal Installer - Version: 11.1.0.6 and later   [Release: 11.1 and later ]

Purpose

To discuss the issues which determine whether the "oinstall" group should be used when installing Oracle software.

Scope and Application

This article is intended for anyone who needs to configure multiple databases on the same system, and those databases will have different DBA users/accounts which should not have cross-database privileges.

UNIX: Do I Need To Use The "oinstall" Group?

 

On most UNIX platforms, the Database Software Installation Guide contains a statement simliar to (the actual text will vary in different releases):

Create a UNIX Group for the OUI Inventory

... create a group named oinstall. The oinstall group will own the OUI oraInventory. The user account that runs the installation must be a member of this group.

Historically, the "oracle" user belonged to the "dba" group only.  When all database instances on the same system will be managed by the same "oracle" user, the "oinstall" group may not be necessary for versions before 11g.  However, for 11g and higher versions, you should always use the oinstall group.

Before discussing the "oinstall" group further, a quick review of the oraInventory is in order.

The oraInventory is a directory structure containing many sub-directories and files. There is normally only one oraInventory per system, and the location of the oraInventory is determined by the contents of the /var/opt/oracle/oraInst.loc file. A few platforms use the /etc/oraInst.loc file instead.  The oraInst.loc file typcially contains just two lines, the location of the oraInventory directory and the group the oraInventory belongs to.  Here is an example:

inventory_loc=/u01/app/oracle/oraInventory
inst_group=oinstall

The oraInventory contains information about all Oracle products installed and their locations and versions. The oraInventory is read from and written to each time the Oracle Universal Installer (OUI) is run. This means that in order to install/deinstall an Oracle product, the user/group running the installer must have permissions to read/write the oraInventory.

If you plan to have multiple database instances which will not be managed by the same user account, then the "oinstall" group must be used, even on versions before 11g. Here is an example scenario:

You have one system which will run two different database instances. One of the instances is named JOE and will be managed by the "oracleJOE" user. The other instance is named TOM and will be managed by the "oracleTOM" user.  You do not want to allow oracleJOE access to the TOM instance, and you do not want to allow oracleTOM access to the JOE instance.

In this scenario there are two different UNIX users, but both users must be able to read/write the shared oraInventory.  Since each user should only have access to their own instance, you cannot make the OSDBA group (typically "dba") the same for both users.  Membership of a user in the OSDBA group is what allows a user to connect without a username or password (connect / as sysdba).  This is where the "oinstall" group comes in.  The "oinstall" group is not the OSDBA group for either instance, it is used only to manage the oraInventory.  Here is how the two UNIX users would be setup:

User       Primary               Secondary      Instance
           Group (oraInventory)  Group (OSDBA)
---------  --------------------  -------------  --------
oracleJOE  oinstall              dbaJOE         JOE
oracleTOM  oinstall              dbaTOM         TOM

Since the oraInventory is owned by the oinstall group, both users can write/update the oraInventory because they both have oinstall as their primary group. However, since each instance has a unique OSDBA group, each user is restricted to their own instance.

For this to work correctly, the /etc/group file entry for the "oinstall" group must contain both "oracleJOE" and "oracleTOM". In addition, the /etc/group file entry for the "dbaJOE" group must contain the "oracleJOE" user, and the "dbaTOM" group must contain the "oracleTOM" user.

Here is an example for how to create the user accounts on Linux:

/usr/sbin/useradd -g oinstall -G dbaJOE oracleJOE
/usr/sbin/useradd -g oinstall -G dbaTOM oracleTOM

The example above assumes the dbaJOE, dbaTOM, and oinstall groups are already created.

Note:  The configuration in this article requires that each database instance which will have different OSDBA groups have different ORACLE_HOMEs, even if the ORACLE_HOMEs are for the same version. Multiple database instances can share the same ORACLE_HOME, but only if they also share the same OSDBA group.

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/9390331/viewspace-715044/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/9390331/viewspace-715044/