ACFS Security Ignores Rules when user not part of realm
Last updated on SEPTEMBER 10, 2013
Applies to:Oracle Database - Enterprise Edition - Version 22.214.171.124 and later
Information in this document applies to any platform.
Using ACFS security to protect the Oracle wallet.
Security was set up as follows with a rule that allows only the oracle executable access to the wallet:
security admin: myadm 
security group: sec-admin 
oracle owner: oracle 
oracle group: oinstall 
acfsutil sec prepare -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec realm create TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -d "Wallet Realm" -e off
acfsutil sec rule create allowOracleRule -m /opt/oracle/acfsmounts/data_tde_volume -t application /u01/app/oracle/product/126.96.36.199/dbhome_1/bin/oracle -o ALLOW
acfsutil sec ruleset create TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec ruleset edit TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume -a allowOracleRule -o ANY_TRUE
acfsutil sec realm add TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -l ALL:TDEWalletRuleSet -f -r /opt/oracle/acfsmounts/data_tde_volume/orcl
Now as the oracle user if we do the following:
$> cd /opt/oracle/acfsmounts/data_tde_volume/orcl
$> ls -l
ls: .: Permission denied
The log file in /opt/oracle/acfsmounts/data_tde_volume/orcl/.Security/log shows the following message:
08/28/13 15:10:12 UTC [uid: 500 gid: 500 Result: DENIED] Realm authorization failed for OPEN on file 'orcl'
The only way that the database can open the wallet is to disable ACFS security.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms