sudo configuration for grid

[stigger]

I'm helping out on a 11g install with grid control and I've been told that we need to configure sudo to allow oracle to run root scripts

Does anyone have any doco on exactly whats required as currently we've allowed the oracle user to switch to root and run anything which is not the greatest plan.

I've had a poke around but I can't find what Oracle actually recommend as a config for this.

Any ideas???

 

[karluk]

The only routine job function of an Oracle dba that needs to be done as root is running the script $ORACLE_HOME/root.sh at the end of software installations and patches. You could set up /etc/sudoers to allow execution of only this one command and most likely that is all that your dba would ever need.

Please note, however, that if your dba is determined to subvert security, you probably haven't accomplished anything by restricting him or her to just the one command. As oracle, the dba could replace the standard root.sh script with a customized script containing any commands whatsoever and be able to execute them as root.

 

[stigger]

Yeah that's my worry. There's a lot of entries on the grid control configuration that goes on about sudo configuration, but nowhere can I actually find any information on what oracle requires that to be within Solaris...