Database Reference
In-Depth Information
External Jobs and Non-Privileged Users
On UNIX, external jobs owned by the privileged user SYS are run with the privileges of the
ORACLE software owner—usually the UNIX user oracle. The execution of external jobs owned
by database users other than SYS is enabled by default. It is undocumented which UNIX user is
used to run these external jobs. Users who have neither the privilege SYSDBA nor the role DBA
require the system privileges
CREATE
JOB
and
CREATE
EXTERNAL
JOB
to successfully create and run
external jobs. Thus, to create a new user EXTJOB with just enough privileges to run external
jobs, the following SQL statements may be used:
SQL> CREATE USER extjob IDENTIFIED BY secret;
SQL> GRANT CONNECT TO extjob;
SQL> GRANT CREATE JOB TO extjob;
SQL> GRANT CREATE EXTERNAL JOB TO extjob;
When called without arguments, the UNIX program
id
displays the user name and group
set of the current user. This program may be used to find out which UNIX user is used to run
external programs by non-privileged users. Calling a shell script that redirects the output of
id
to standard error for capture by the scheduler yields the following:
SQL> SELECT additional_info
FROM all_scheduler_job_run_details
WHERE log_id=(SELECT max(log_id) FROM all_scheduler_job_run_details);
ADDITIONAL_INFO
--------------------------------------------------------------------------------
STANDARD_ERROR="uid=99(nobody) gid=99(nobody) groups=800(oinstall),801(dba)"
The UNIX user and group nobody are used. For this reason, the existence of the UNIX user
nobody is an installation prerequisite mentioned in installation guides for the ORACLE DBMS.
Oracle10
g
Release 2 UNIX installation guides incorrectly state that the program
$ORACLE_HOME/
bin/extjob
must be owned by nobody. When this is the case, external jobs fail with the following
error message in
ALL_SCHEDULER_JOB_RUN_DETAILS.ADDITIONAL_INFO
:
ADDITIONAL_INFO
--------------------------------------------------------------------------------
ORA-27369: job of type EXECUTABLE failed with exit code: 274662
STANDARD_ERROR="Oracle Scheduler error: Config file is not owned by root or is
writable by group or other or extjob is not setuid and owned by root"
The “config file” mentioned in the error message refers to the file
externaljob.ora
, which
is located in the directory
$ORACLE_HOME/rdbms/admin
. This file is undocumented in Oracle10
g
and is partially documented in
Oracle Database Administrator's Guide 11g Release 1
. It must be
owned by root and must be writable only by the owner:.
$ ls -l $ORACLE_HOME/rdbms/admin/externaljob.ora
-rw-r----- 1 root oinstall 1534 Dec 22 2005 /opt/oracle/product/db10.2/rdbms/admin
/externaljob.ora
