ACFS Security Ignores Rules when user not part of realm (Doc ID 1583193.1)

Last updated on SEPTEMBER 10, 2013

Applies to:

Oracle Database - Enterprise Edition - Version 11.2.0.2 and later
Information in this document applies to any platform.

Symptoms

 Using ACFS security to protect the Oracle wallet.  

Security was set up as follows with a rule that allows only the oracle executable access to the wallet:

security admin: myadm [20038]
security group: sec-admin [1006]
oracle owner: oracle [500]
oracle group: oinstall [500]

acfsutil sec prepare -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec realm create TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -d "Wallet Realm" -e off
acfsutil sec rule create allowOracleRule -m /opt/oracle/acfsmounts/data_tde_volume -t application /u01/app/oracle/product/11.2.0.2/dbhome_1/bin/oracle -o ALLOW
acfsutil sec ruleset create TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec ruleset edit TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume -a allowOracleRule -o ANY_TRUE
acfsutil sec realm add TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -l ALL:TDEWalletRuleSet -f -r /opt/oracle/acfsmounts/data_tde_volume/orcl

Now as the oracle user if we do the following:
$> cd /opt/oracle/acfsmounts/data_tde_volume/orcl
$> ls -l
ls: .:  Permission denied

The log file in /opt/oracle/acfsmounts/data_tde_volume/orcl/.Security/log shows the following message:

08/28/13 15:10:12 UTC [uid: 500 gid: 500 Result: DENIED] Realm authorization failed for OPEN on file 'orcl'

The only way that the database can open the wallet is to disable ACFS security.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms