ACFS Security Ignores Rules when user not part of realm
(Doc ID 1583193.1)
Last updated on JANUARY 24, 2020
Applies to:Oracle Database - Enterprise Edition - Version 188.8.131.52 and later
Information in this document applies to any platform.
Using ACFS security to protect the Oracle wallet.
Security was set up as follows with a rule that allows only the oracle executable access to the wallet:
security admin: myadm 
security group: sec-admin 
oracle owner: oracle 
oracle group: oinstall 
acfsutil sec prepare -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec realm create TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -d "Wallet Realm" -e off
acfsutil sec rule create allowOracleRule -m /opt/oracle/acfsmounts/data_tde_volume -t application /u01/app/oracle/product/184.108.40.206/dbhome_1/bin/oracle -o ALLOW
acfsutil sec ruleset create TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume
acfsutil sec ruleset edit TDEWalletRuleSet -m /opt/oracle/acfsmounts/data_tde_volume -a allowOracleRule -o ANY_TRUE
acfsutil sec realm add TDEWalletRealm -m /opt/oracle/acfsmounts/data_tde_volume -l ALL:TDEWalletRuleSet -f -r /opt/oracle/acfsmounts/data_tde_volume/orcl
Now as the oracle user if we do the following:
$> cd /opt/oracle/acfsmounts/data_tde_volume/orcl
$> ls -l
ls: .: Permission denied
The log file in /opt/oracle/acfsmounts/data_tde_volume/orcl/.Security/log shows the following message:
08/28/13 15:10:12 UTC [uid: 500 gid: 500 Result: DENIED] Realm authorization failed for OPEN on file 'orcl'
The only way that the database can open the wallet is to disable ACFS security.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document