ASMCMD privileges in Grid Infrastructure

Now I’m not sure if this is a bug or just my unrealistic expectations (Oracle Support are currently considering it) but I thought I’d throw it out to see if anyone else has an opinion. I’ve seen the same behaviour on Linux and AIX.

We have installed Grid Infrastructure using a software owner of “oracle” with a GID of “oinstall”. This is the group depicted in the documentation:

http://download.oracle.com/docs/cd/E11882_01/install.112/e10814/preaix.htm#BABGBGGI

We’ve also created the ASM OS groups (“asmadmin”, “asmdba” & “asmoper”) as depicted in the link above. My user account is a DBA account but not necessarily one that should make changes in ASM. Therefore it looks like this.

id
uid=10024(neiljohnson) gid=501(staff) groups=201(dba),204(asmdba)

I can successfully log into SQL*Plus as SYSDBA for a database and OSDBA for ASM. All is good. So then I tried to go into ASMCMD.

+ASM1%> asmcmd -p
-bash: /u01/app/11.2.0/grid/bin/asmcmd: Permission denied

Checking the permissions we can see that only”oracle” or users with “oinstall” can execute ASMCMD.

ls -l /u01/app/11.2.0/grid/bin/asmcmd /u01/app/11.2.0/grid/bin/sqlplus
-rwxr-x--- 1 oracle oinstall 5311 Mar 17 2009 /u01/app/11.2.0/grid/bin/asmcmd
-rwxr-x--x 1 oracle oinstall 45768172 Jan 11 10:22 /u01/app/11.2.0/grid/bin/sqlplus

I got straight to thinking that something must have gone wrong but after a bit of digging around found the following line in a log file.

./cfgtoollogs/oui/installActions2010-03-04_12-13-41PM.log:INFO: chmod 0750 bin/amdu bin/setasmgid bin/rename bin/fmputl bin/fmputlhp bin/asmcmd

So, it looks like it’s intentional. There’s also another mention of an old favourite (setasmgid) too.

I’ll update this post once I know the reason for the behaviour.

Update October 5th 2010 - Oracle support have finally responded to say that this is expected behaviour however they have opened an enhancement request to allow users other than the software owner to use ASMCMD.

About these ads

4 thoughts on “ASMCMD privileges in Grid Infrastructure

  1. Pingback: Blogroll Report 16/07/2010 – 23/07/2010 « Coskan’s Approach to Oracle

  2. Hi Neil, love the blog; Mark@TSYS put me onto it…. I shall be an avid reader as I know Pawel and yourself (And have heard about Martin too from Mark) :-)

    In a slightly/kinda/related(ish) way to your post, have you looked at the way ownership of groups of nodes can be split up in Server Pools in 11.2 RAC using the Access Control Lists? ‘Kinda neat… Im having a big play with Server Pools at the moment and they are indeed the Mutts Nutts…

    -Bob

    • Hi Bob,
      I haven’t looked into Server Pools yet. Our approach to 11.2 has been very cautious due to its short life so far, hence we’ve tried to avoid anything too cutting edge where possible. Keep me posted with your research though – any experience of 11.2 you have will be of interest.

  3. Hi man, if don’t want to use os user GRID (or can´t), you can use the following workaround:

    cd /perl
    chmod -R 750 bin lib man ( Original permissions are 700 )
    cd /lib
    chmod 750 libexpat.so.1 ( Original permissions are 600 )

    Greetings from Argentina.
    Daniel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s