Jul 22, 2009

acl

ACL - Fine grain permissions -

Scenario 1:

databases like oracle, can create files etc on the database server. The os account that starts the database needs to have write permission on the directory structure. The ability that the database has should be conducted as part of the application and therefore it will depend on where these application directories are located. Best practice would suggest that these files should be available and even owned by a application owner.

Use ACL's to resolve this issue. In a nutshell, the owner and group of the file generated by the database is owned by an application owner and group. Give the oracle user or an oracle group read/write/execute permission on the underlying directory. In unix, ensusure setid for group is set. This ensures that dependent files adopt the permissions of the directory.

unix> chmod g+s dirname
unix> chmod A+group:grpname:read_data/write_data/execute:allow dirname

where grpname is the name of the group that is owned by the database owner.

When dealing with a hierarchical file structure, all directories up to parent should be included.

Warning 1:

if you chmod group permissions, then ACL's may be changed.