oracle系统user$,Oracle操作系统用户组

Oracle软件在安装维护过程中长要和操作用户组(OS user group)打交道，从早前的只有oracle用户和dba组发展到今天中的grid用户和asm组，Oracle管理的日新月异可见一斑。

oinstall用户组

oinstall

组是Oracle推荐创建的OS用户组之一，建议在系统第一次安装oracle软件产品之前创建该oinstall组，理论上该oinstall组应当拥有oracle软件产品目录(例如$CRS_HOME和$ORACLE_HOME)和oracle

Inventory信息目录仓库，oracle Inventory信息目录记录了系统上安装过的oracle产品的记录。

若系统中已有安装过oracle产品软件，则现有的oracle Inventory目录的所有组必须是今后用来安装新oracle软件产品的用户的主组(primary group)。

现有的oracle Inventory拥有者组可以通过/etc/oraInst.loc位置文件了解:

inventory_loc=/u01/app/oracle/oraInventory

inst_group=oinstall

若/etc/oraInst.loc(少数平台不在该位置)位置文件不存在，那么建议创建oinstall用户组，注意在RAC环境中要保持各节点上用户组的gid一致:

# /usr/sbin/groupadd -g GID oinstall OSDBA用户组(dba) OSDBA是我们必须要创建的一种系统DBA用户组(dba)，

若没有该用户组我们将无法安装数据库软件及执行管理数据库的任务。 OSOPER用户组(oper)

OSOPER是一种额外的用户组(oper)，我们可以选择要不要创建该用户组，

创建该用户组可以满足让os用户行使某些数据库管理权限(包括SYSOPER角色权限)的目的。

注意SYSOPER的权限包括startup和shutdown，所以要小心为该用户组添加成员。

创建OSOPER用户组的方法:

# /usr/sbin/groupadd oper

综上所述在单机环境(single-instance)中oracle软件拥有者用户(常见的oracle或者orauser)，

因该同时是oinstall、dba、oper用户组的成员。同时该用户的主用户组必须是oinstall。

Oracle Database 11g release 2中选择Privileged Operating System Groups

而在11.2的GI/CRS环境中数据库软件拥有者用户(oracle或orauser)还必须是asmdba用户组的成员。

usermod -g oinstall -G dba,oper,asmdba [oracle|orauser]

id oracle

uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),701(asmdba),54324(oper)

注意OSDBA和OSOPER用户组都受到$ORACLE_HOME/rdbms/lib/config.c 源文件的影响，

该文件定义了默认的 SS_DBA_GRP “dba” 和SS_OPER_GRP “oper”,该源文件内容如下:

/* Refer to the Installation and User's Guide for further information. */

/* IMPORTANT: this file needs to be in sync with

rdbms/src/server/osds/config.c, specifically regarding the

number of elements in the ss_dba_grp array.

*/

#define SS_DBA_GRP "dba"

#define SS_OPER_GRP "oper"

#define SS_ASM_GRP ""

char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};

11g release2中oracle建议独立地管理Grid Infrastructure和ASM实例，因此有必要创建更多的os用户组以满足不同的权限分配。

我们在11.2的GI中常用的ASM用户组有以下三个：

OSASM(asmadmin)用户组

如果使用ASM，那么我们必须创建osasm(asmadmin)用户组，该OSASM用户组的成员将被赋予SYSASM权限，

以满足组成员管理Oracle Clusterware和Oracle ASM的权限需求。

OSDBA for ASM group(asmdba)用户组

OSDBA(asmdba)用户组的成员将被赋予读写访问ASM文件的权限。

GI/CRS拥有者用户和所有oracle数据库软件的拥有者必须是该组的成员。

同时所有OSDBA(dba)用户组的成员也必须是asmdba组的成员。

OSOPER for ASM(asmoper)用户组

asmoper和osoper类似都是额外的可选择创建的用户组，创建该独立的用户组以满足赋予用户一套受限的ASM实例管理权限

(ASM的SYSOPER角色)， 该权限包括了启动和停止ASM实例，默认情况下OSASM(asmadmin)组成员将拥有所有SYSOPER的ASM管理权限。

在11.2的GI/CRS环境中一般会创建grid或griduser用户来管理GI软件和ASM实例，以如下方式创建grid用户:

useradd -g oinstall -G asmadmin,asmdba,asmoper gridid grid

uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),700(asmadmin),701(asmdba),55000(asmoper)software component

os User

primary group

supplementary group

home directory

oracle base / oracle home

grid infrastructure

grid

oinstall

asmadmin,asmdba,asmoper

/home/grid

/u01/app/grid

/u01/app/11.2.0/grid

Oracle RAC

oracle

oinstall

dba,oper,asmdba

/home/oracle

/u01/app/oracle

/u01/app/oracle/product/11.2.0/dbhome_1

更多内容可以参考下文:

The OSDBA group (typically, dba)

You must create this group the first time you install Oracle Database

software on the system. This group identifies operating system user

accounts that have database administrative privileges (the SYSDBA

privilege). If you do not create separate OSDBA, OSOPER and OSASM groups

for the Oracle ASM instance, then operating system user accounts that

have the SYSOPER and SYSASM privileges must be members of this group.

The name used for this group in Oracle code examples is dba. If you do

not designate a separate group as the OSASM group, then the OSDBA group

you define is also by default the OSASM group.

To specify a group name other than the default dba group, then you

must choose the Advanced installation type to install the software or

start Oracle Universal Installer (OUI) as a user that is not a member of

this group. In this case, OUI prompts you to specify the name of this

group.

Members of the OSDBA group formerly were granted SYSASM privileges on

Oracle ASM instances, including mounting and dismounting disk groups.

This privileges grant is removed with Oracle Grid Infrastructure 11g

release 2, if different operating system groups are designated as the

OSDBA and OSASM groups. If the same group is used for both OSDBA and

OSASM, then the privilege is retained.

The OSOPER group for Oracle Database (typically, oper)

This is an optional group. Create this group if you want a separate

group of operating system users to have a limited set of database

administrative privileges (the SYSOPER privilege). By default, members

of the OSDBA group also have all privileges granted by the SYSOPER

privilege.

To use the OSOPER group to create a database administrator group with

fewer privileges than the default dba group, then you must choose the

Advanced installation type to install the software or start OUI as a

user that is not a member of the dba group. In this case, OUI prompts

you to specify the name of this group. The usual name chosen for this

group is oper.

The Oracle Automatic Storage Management Group (typically asmadmin)

This is a required group. Create this group as a separate group if

you want to have separate administration privilege groups for Oracle ASM

and Oracle Database administrators. In Oracle documentation, the

operating system group whose members are granted privileges is called

the OSASM group, and in code examples, where there is a group

specifically created to grant this privilege, it is referred to as

asmadmin.

If you have multiple databases on your system, and use multiple OSDBA

groups so that you can provide separate SYSDBA privileges for each

database, then you should create a separate OSASM group, and use a

separate user from the database users to own the Oracle Grid

Infrastructure installation (Oracle Clusterware and Oracle ASM). Oracle

ASM can support multiple databases.

Members of the OSASM group can use SQL to connect to an Oracle ASM

instance as SYSASM using operating system authentication. The SYSASM

privileges permit mounting and dismounting disk groups, and other

storage administration tasks. SYSASM privileges provide no access

privileges on an RDBMS instance.

The Oracle ASM Database Administrator group (OSDBA for ASM, typically asmdba)

Members of the Oracle ASM Database Administrator group (OSDBA for

ASM) are granted read and write access to files managed by Oracle ASM.

The Oracle Grid Infrastructure installation owner and all Oracle

Database software owners must be a member of this group, and all users

with OSDBA membership on databases that have access to the files managed

by Oracle ASM must be members of the OSDBA group for ASM.

Members of the Oracle ASM Operator Group (OSOPER for ASM, typically asmoper)

This is an optional group. Create this group if you want a separate

group of operating system users to have a limited set of Oracle ASM

instance administrative privileges (the SYSOPER for ASM privilege),

including starting up and stopping the Oracle ASM instance. By default,

members of the OSASM group also have all privileges granted by the

SYSOPER for ASM privilege.

To use the Oracle ASM Operator group to create an ASM administrator

group with fewer privileges than the default asmadmin group, then you

must choose the Advanced installation type to install the software, In

this case, OUI prompts you to specify the name of this group. In code

examples, this group is asmoper.

An Oracle central inventory group, or oraInventory group (oinstall).

Members who have the central inventory group as their primary group, are

granted the OINSTALL permission to write to the oraInventory directory.

A single system privileges group that is used as the OSASM, OSDBA,

OSDBA for ASM, and OSOPER for ASM group (dba), whose members are granted

the SYSASM and SYSDBA privilege to administer Oracle Clusterware,

Oracle ASM, and Oracle Database, and are granted SYSASM and OSOPER for

ASM access to the Oracle ASM storage.

An Oracle grid installation for a cluster owner (grid), with the

oraInventory group as its primary group, and with the OSASM group as the

secondary group, with its Oracle base directory /u01/app/grid.

An Oracle Database owner (oracle) with the oraInventory group as its

primary group, and the OSDBA group as its secondary group, with its

Oracle base directory /u01/app/oracle.

/u01/app owned by grid:oinstall with 775 permissions before

installation, and by root after the root.sh script is run during

installation. This ownership and permissions enables OUI to create the

Oracle Inventory directory, in the path /u01/app/oraInventory.

/u01 owned by grid:oinstall before installation, and by root after the root.sh script is run during installation.

/u01/app/11.2.0/grid owned by grid:oinstall with 775 permissions.

These permissions are required for installation, and are changed during

the installation process.

/u01/app/grid owned by grid:oinstall with 775 permissions before installation, and 755 permissions after installation.

/u01/app/oracle owned by oracle:oinstall with 775 permissions.

An Oracle central inventory group, or oraInventory group (oinstall),

whose members that have this group as their primary group are granted

permissions to write to the oraInventory directory.

A separate OSASM group (asmadmin), whose members are granted the

SYSASM privilege to administer Oracle Clusterware and Oracle ASM.

A separate OSDBA for ASM group (asmdba), whose members include grid,

oracle1 and oracle2, and who are granted access to Oracle ASM.

A separate OSOPER for ASM group (asmoper), whose members are granted

limited Oracle ASM administrator privileges, including the permissions

to start and stop the Oracle ASM instance.

An Oracle grid installation for a cluster owner (grid), with the

oraInventory group as its primary group, and with the OSASM (asmadmin),

OSDBA for ASM (asmdba) group as a secondary group.

Two separate OSDBA groups for two different databases (dba1 and dba2) to establish separate SYSDBA privileges for each database.

Two Oracle Database software owners (oracle1 and oracle2), to divide

ownership of the Oracle database binaries, with the OraInventory group

as their primary group, and the OSDBA group for their database (dba1 or

dba2) and the OSDBA for ASM group (asmdba) as their secondary groups.

An OFA-compliant mount point /u01 owned by grid:oinstall before installation.

An Oracle base for the grid installation owner /u01/app/grid owned by

grid:oinstall with 775 permissions, and changed during the installation

process to 755 permissions.

An Oracle base /u01/app/oracle1 owned by oracle1:oinstall with 775 permissions.

An Oracle base /u01/app/oracle 2 owned by oracle2:oinstall with 775 permissions.

A Grid home /u01/app/11.2.0/grid owned by grid:oinstall with 775

(drwxdrwxr-x) permissions. These permissions are required for

installation, and are changed during the installation process to

root:oinstall with 755 permissions (drwxr-xr-x).

/u01/app/oraInventory. This path remains owned by grid:oinstall, to

enable other Oracle software owners to write to the central inventory.