2

I have an nfs mount created on a Linux server, and a process that is creating directories and files dynamically as it runs. As expected, the directories have an owner:group of nobody:nogroup.

The issue is that the default umask is yielding permissions like this:

drwxr-x--- 2 nobody nogroup 4096 Sep  6 20:17 /shares/dra/rman/ORCL/mtd_inputs_2024-08-27/scott/datafile

That directory is created by a client on another Linux server, by an Oracle RMAN job. It later invokes an Oracle DDL command to create an Oracle Directory object, that allows Oracle to access that Linux directory.

I am getting errors when the RMAN tries to access directories in that hierarchy. When googled, those errors has some hits on Oracle support, including this note That note leads me to think that perhaps the Oracle Directory object can't access the directories since there is no "world" access.

The directories are created dynamically during the RMAN job so I can't change permissions in advance.

The task is a long-running one, and right toward the end, it creates a new directory and apparently a child process attempts to access it, and I'm pretty sure it is due to the directory permissions.

Is there a way to change the default umask to yield directory permissions to be 777 for the nobody user ID? I can't change it on the client user ID.

The entry for nobody in /etc/password shows a non-existent home directory and /usr/sbin/nologin shell:

Prompt> grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Versions:

Prompt> uname -a
Linux project01 4.19.0-26-amd64 #1 SMP Debian 4.19.304-1 (2024-01-09) x86_64 GNU/Linux
Prompt> cat /etc/debian_version
10.13

The client is running Oracle Linux Server release 7.9.

Update: My entry for the server in question in /etc/exports looks like this:

Prompt> grep /shares/dra /etc/exports
/shares/dra exampledev01(rw,sync,no_subtree_check,all_squash,anonuid=65534,anongid=65534)
Improve this question
5
  • Mark, these two statements have me confused: That directory is created by a client on another Linux server, by an Oracle RMAN job. and I am getting errors when the RMAN tries to access directories in that hierarchy. .... are you saying that it can create the files/directories, but not access them later on? Commented Sep 6, 2024 at 21:40
  • 1
    And what are your security requirements, would it be ok to add an all_squash to the appropriate line in /etc/exports? What does exports look like atm? Commented Sep 6, 2024 at 21:41
  • 1
    Ugh my /etc/exports looks like a spilled plate of spaghetti. I'll have to research it some more. Thanks! Commented Sep 6, 2024 at 22:29
  • Added my /etc/exports; it does have all_squah and hopefully I clarified the process flow. Commented Sep 6, 2024 at 22:46
  • 1
    @tink Being able to create files/directories but not access them later is a fairly common side effect of all_squash NFS export option: it forces the ownership of all files to nobody:nogroup, even if the client user is not nobody nor a member of the nogroup group. If the umask precludes world-access (like the default umask of Oracle Enterprise Manager/GridControl), it results in files that are inaccessible to the client user after initial write. Commented Sep 6, 2024 at 23:47

1 Answer 1

Reset to default
2

Since you have all_squash to nobody:nogroup in effect over NFS, and cannot change the umask at the client, I think the only remaining option would be to set a default ACL on the directory to which the dynamic directories are created.

The required command would be like this:

setfacl -m d:g:nogroup:rwx,d:o:rwx /shares/dra/rman/ORCL

You would need to run this command on the NFS server. If successful, any new regular files in the directory will get permissions -rw-rw-rw-+ and directories drwxrwxrwx+. The + sign denotes the ACL in effect; it will be visible on the NFS server, but might not be seen on the NFS clients.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.