Privilege elevation requirements for Oracle EBS
The optional Privilege Elevation feature allows a non-privileged environment user (e.g., delphix_os) to gain the permissions of a privileged environment user (e.g., oravis) for operations on the staging or target environments. This configuration can be valuable to maximize an environment's security posture.
First, the Privilege Elevation script, dlpx_db_exec, must be created and uploaded onto the Delphix Continuous Data Engine. Then, the non-privileged environment user must be granted the appropriate permissions..
Upload the privilege elevation script
Perform one of the following methods to upload the privilege elevation script:
a) CURL file upload method
Before running any of the following commands, update <CONTINUOUS-DATA-FQDN-or-IP>, <USERNAME>, and <PASSWORD> placeholder values.
Create a session with the Delphix Continuous Data Engine.
Also, update the version values for `major`, `minor`, and `micro` fields.
The correct values for your Delphix Continuous Data Engine version can be found in the API version information.
CODEcurl -i -c cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/session -d '{ "version":{ "major":1, "minor":11, "micro": 5, "type":"APIVersion" }, "type":"APISession" }'
Login to Delphix Continuous Data Engine as the `admin` user.
CODEcurl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/login -d '{ "username":"<USERNAME>", "password":"<PASSWORD>", "type":"LoginRequest", "target":"DOMAIN" }'
Copy DLPX_DB_EXEC contents to the Delphix Continuous Data Engine.
CODEcurl -i -b cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{ "type": "HostPrivilegeElevationProfileScript", "contents": "#\n# Copyright (c) 2018 by Delphix. All rights reserved.\n#\n\n#\n# This script allows customization of command execution with an alternate user\n# account.\nif [[ $1 != -u* ]]; then\n echo \"Incorrect command line parameters, -u<optional user account> is required as the first parameter\"\n exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\n\nshift 1\nif [[ $user_id != \"delphix_os\" ]]; then\ncommand=$(printf \"%s \" \"$@\")\nsudo su - $user_id -c \"$command\"\nelse\n$@\nfi\n" }'
Content of DLPX_DB_EXEC Privilege Elevation Profile:
# Copyright (c) 2024 by Delphix. All rights reserved.
# This script allows customization of command execution with an alternate user
# account.
# Arg $1 contains "-u<optional user account>" for the desired user under
# which database commands will be executed.
# By default this argument is ignored and the script is executed as the default
# account.
if [[ $1 != -u* ]]; then
echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
exit 1
user_id=`echo $1 | sed -e "s/^-u//"`
shift 1
if [[ $user_id != "delphix_os" ]]; then
command=$(printf "%s " "$@")
sudo su - $user_id -c "$command"
Note: If the dlpx_db_exec script is updated after the environment(s) is added, refresh the environment to propagate the changes.
CLI Method
For steps on creating a Privilege Elevation Profile, refer to CLI Cookbook: How to create or edit privilege elevation profiles and profile scripts.
Configure sudo privileges to grant Privilege Elevation
With Privilege Elevation, all EBS connector commands are run via the dlpx_db_exec script and within this script the commands are run using ‘sudo’. In order to execute the connector commands as the high-privileged environment user, sudoers entries are required.
To add additional sudoers entries you need to edit the /etc/sudoers file. Run the following commands to open the `sudoers’ file:
vi /etc/sudoers
# or
Note: Third party tools like `visudo`, can be helpful in minimizing syntax errors.
Sudoers entry for Linux
Entries required for provisioning via low privileged user (delphix_os) on target EBS DB Tier
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - oravis -c
/bin/mount, /bin/su - oravis -c
/bin/umount, /bin/su - oravis -c echo *,
/bin/su - oravis -c export *,
/bin/su - oravis -c test*mkdir*,
/bin/su - oravis -c test*touch*chmod 750*cat*,
/bin/su - oravis -c */EBS_kill/*,
/bin/su - oravis -c rm -f */test_status.tmp*,
/bin/su - oravis -c cp -f */dlpx_force_autoflush*;
chmod 755 */dlpx_force_autoflush*,
/bin/su - oravis -c rm -f */dlpx_force_autoflush*,
/bin/su - oravis -c */*.env*bin/lsnrctl status*,
/bin/su - oravis -c */*.env*/*,
/bin/su - oravis -c rm -f /u01/oracle/VIS/*/.delphix_adpreclone.lck*,
/bin/su - oravis -c rm -rf */appsutil/clone/dbts*,
/bin/su - oravis -c touch /u01/oracle/VIS/*/.delphix_adpreclone.lck*,
/bin/su - oravis -c */bin/runInstaller -silent -detachHome*,
/bin/su - oravis -c export PATH* export PERL5LIB*perl -mdlpx_force_autoflush */ dbtechstack*,
/bin/su - oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */ dbtechstack*,
/bin/su - oravis -c cd *; make -f*ioracle*,
/bin/su - oravis -c cd *; make -f dnfs_off*,
/bin/su - oravis -c rm -f *bak, /bin/su - oravis -c mv *,
/bin/su - oravis -c */*.env*sqlplus* as sysdba*,
/bin/su - oravis -c */*.env*perl */appsutil/clone/bin/ dbconfig*,
/bin/su - oravis -c */*.env*perl */appsutil/scripts/*/ database*,
/bin/su - oravis -c sed*sqlnet.ora*, /bin/su - oravis -c */*.env*sqlplus apps*,
/bin/su - oravis -c */*.env*; make -f *rdbms/lib/ dnfs_off*,
/bin/su - oravis -c */*.env*; ln -s *, /bin/mount, /bin/umount, /bin/ps,
/bin/mkdir, /bin/su - oravis -c source* -dboraclehome* perl**,
/bin/su - oravis -c */*.env*perl */appsutil/bin/ -contextfile*,
/bin/su - oravis -c */*.env* mkdir -p*, /bin/su - oravis -c chmod 775 *dbs*,
/bin/su - oravis -c chmod 6751 */bin/oracle*,
/bin/su - oravis -c cp **,
/bin/su - oravis -c chmod 755 */dlpx_force_autoflush*,
/bin/su - oravis -c umask*touch *source_apps_file.txt,
/bin/su - oravis -c mkdir -p*, /bin/su - oravis -c cp *pairsfile*,
/bin/su - oravis -c *perl -mdlpx_force_autoflush */*,
/bin/su - oravis -c *perl -mdlpx_force_autoflush */ dbtechstack*,
/bin/su - oravis -c touch */.delphix_adpreclone.lck*,
/bin/su - oravis -c rm -f */.delphix_adpreclone.lck*
Entries required for provisioning via low privileged user (delphix_os) on target EBS AppsTier
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - applvis -c echo *,
/bin/su - applvis -c rm *.dlpx_run_edition*,
/bin/su - applvis -c rm -f *dlpx_force_autoflush*,
/bin/su - applvis -c cd *echo *dlpx_force_autoflush*,
/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*,
/bin/su - applvis -c */rsync*, /bin/su - applvis -c test*mkdir*, /bin/su - applvis -c test*touch*chmod 750*cat*,
/bin/su - applvis -c */EBS_kill/*, /bin/su - applvis -c rm -f */test_status.tmp*, /bin/su - applvis -c */*.env* sqlplus -s *apps*,
/bin/su - applvis -c */*, /bin/su - applvis -c */*,
/bin/su - applvis -c */*.env* cd **,
/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*,
/bin/su - applvis -c *perl -mdlpx_force_autoflush */ addnode contextfile*pairsfile*outfile*,
/bin/su - applvis -c **, /bin/su - applvis -c **,
/bin/su - applvis -c **, /bin/su - applvis -c */*.env* cd *perl -mdlpx_force_autoflush ./*contextfile*action*updateAdminPassword*,
/bin/su - applvis -c */bin/runInstaller -silent -detachHome*, /bin/su - applvis -c rm -rf */inst/apps/*, /bin/su - applvis -c rm -rf *FMW_Home*,
/bin/su - applvis -c rm -rf *fs*,
/bin/su - applvis -c find*exec rm -rf *,
/bin/su - applvis -c cp */inst/apps/*appl/admin* */inst/apps/*,
/bin/su - applvis -c */*EBSapps.env*perl */patch/115/bin/*contextfile*configoption*oacore*oafm*forms*formsc4ws*,
/bin/su - applvis -c rsync -aH --delete --ignore-errors */EBSapps/ */EBSapps/*,
/bin/su - applvis -c rm */serviceStartfile.tmp*, /bin/su - applvis -c rm -rf */change_apps_password*,
/bin/su - applvis -c mkdir -p */change_apps_password*, /bin/su - applvis -c */*.env* run; cd */change_apps_password*/fnd/12.0.0/bin/FNDCPASS*apps*system*SYSTEM APPLSYS*,
/bin/su - applvis -c */*.env* sqlplus *apps*,
/bin/su - applvis -c */*.env* rm -f */*cat */*,
/bin/su - applvis -c */*.env*/*,
/bin/su - applvis -c */*.env* rm -f */*cat**,
/bin/su - applvis -c */*.env* run; */wlserver_10.3/common/bin/ */*,
/bin/su - applvis -c */*.env*; */wlserver_10.3/common/bin/ */*,
/bin/su - applvis -c *lsof*, /bin/su - applvis -c *sed *,
/bin/su - applvis -c */*.env*;* status*,
/bin/mount, /bin/umount, /bin/ps, /bin/su - applvis -c find*,
/bin/su - applvis -c cp **,
/bin/su - applvis -c *perl -mdlpx_force_autoflush ./ AppsTier*,
/bin/su - applvis -c cat**, /bin/su - applvis -c cat**,
/bin/su - applvis -c mkdir -p */pairsdir*,
/bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush * AppsTier*,
/bin/su - applvis -c mv *scratch_file* *,
/bin/su - applvis -c pmap -r*,
/bin/su - applvis -c */*.env* patch; */wlserver_10.3/common/bin/ */*
Entries required for provisioning via low privileged user (delphix_os) on source EBS DB Tier.
Default:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - oravis -c echo *,
/bin/su - oravis -c rm -f */dlpx_force_autoflush*,
/bin/su - oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*,
/bin/su - oravis -c rm -rf */appsutil/clone/dbts*,
/bin/su - oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */ dbTier*,
/bin/su - oravis -c */rsync*, /bin/su - oravis -c test*mkdir*,
/bin/su - oravis -c test*touch*chmod 750*cat*,
/bin/su - oravis -c */EBS_kill/*,
/bin/su - oravis -c rm -f */test_status.tmp*,
/bin/ps, /bin/su - oravis -c cp **,
/bin/su - oravis -c chmod 755 */dlpx_force_autoflush*
Entries required for provisioning via low privileged user (delphix_os) on source EBS AppsTier.
Default:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - applvis -c echo *,
/bin/su - applvis -c rm *.dlpx_run_edition*,
/bin/su - applvis -c rm -f */dlpx_force_autoflush*,
/bin/su - applvis -c cd *echo *dlpx_force_autoflush*,
/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*,
/bin/su - applvis -c */rsync*, /bin/su - applvis -c test*mkdir*,
/bin/su - applvis -c test*touch*chmod 750*cat*,
/bin/su - applvis -c */EBS_kill/*,
/bin/su - applvis -c rm -f */test_status.tmp*,
/bin/su - applvis -c *.env* sqlplus -s apps*,
/bin/su applvis -c *.env* sqlplus -s apps*,
/bin/su - applvis -c */*.env*echo* status -nopromptmsg*,
/bin/ps, /bin/su - applvis -c cp **,
/bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush */ AppsTier*
Sudoers entry for Solaris
Entries required for provisioning via low privileged user (delphix_os) on source EBS DB Tier.
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oravis -c echo *, /usr/bin/su
- oravis -c rm -f */dlpx_force_autoflush*, /usr/bin/su
- oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*, /usr/bin/su
- oravis -c rm -rf */appsutil/clone/dbts*, /usr/bin/su
- oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */ dbTier*, /usr/bin/su
- oravis -c */rsync*, /usr/bin/su - oravis -c test*mkdir*, /usr/bin/su
- oravis -c test*touch*chmod 750*cat*, /usr/bin/su
- oravis -c */EBS_kill/*, /usr/bin/su
- oravis -c rm -f */test_status.tmp*, /bin/ps, /usr/bin/su
- oravis -c cp **, /usr/bin/su
- oravis -c chmod 755 */dlpx_force_autoflush*
Entries required for provisioning via low privileged user (delphix_os) on source EBS AppsTier.
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su
- oravis -c echo *, /usr/bin/su
- oravis -c rm *.dlpx_run_edition*, /usr/bin/su
- oravis -c rm -f */dlpx_force_autoflush*, /usr/bin/su
- oravis -c cd *echo *dlpx_force_autoflush*, /usr/bin/su
- oravis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*, /usr/bin/su
- oravis -c */rsync*, /usr/bin/su
- oravis -c test*mkdir*, /usr/bin/su
- oravis -c test*touch*chmod 750*cat*, /usr/bin/su
- oravis -c */EBS_kill/*, /usr/bin/su
- oravis -c rm -f */test_status.tmp*, /usr/bin/su
- oravis -c *.env* sqlplus -s apps*, /usr/bin/su oravis -c *.env* sqlplus -s apps*, /usr/bin/su
- oravis -c */*.env*echo* status -nopromptmsg*, /bin/ps, /usr/bin/su
- oravis -c cp **, /usr/bin/su
- oravis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush */ AppsTier*
Entries required for provisioning via low privileged user (delphix_os) on target EBS DB Tier.
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su
- oravis -c /usr/sbin/mount, /usr/bin/su
- oravis -c /usr/sbin/umount, /usr/bin/su
- oravis -c echo *, /usr/bin/su
- oravis -c export *, /usr/bin/su
- oravis -c test*mkdir*, /usr/bin/su
- oravis -c test*touch*chmod 750*cat*, /usr/bin/su
- oravis -c */EBS_kill/*, /usr/bin/su
- oravis -c rm -f */test_status.tmp*, /usr/bin/su
- oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*, /usr/bin/su
- oravis -c rm -f */dlpx_force_autoflush*, /usr/bin/su
- oravis -c */*.env*bin/lsnrctl status*, /usr/bin/su
- oravis -c */*.env*/*, /usr/bin/su
- oravis -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su
- oravis -c rm -rf */appsutil/clone/dbts*, /usr/bin/su
- oravis -c touch */.delphix_adpreclone.lck*, /usr/bin/su
- oravis -c */bin/runInstaller -silent -detachHome*, /usr/bin/su
- oravis -c export PATH* export PERL5LIB*perl -mdlpx_force_autoflush */ dbtechstack*, /usr/bin/su
- oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */ dbtechstack*, /usr/bin/su
- oravis -c cd *; make -f*ioracle*, /usr/bin/su
- oravis -c cd *; make -f dnfs_off*, /usr/bin/su
- oravis -c rm -f *bak, /usr/bin/su - oravis -c mv *, /usr/bin/su
- oravis -c */*.env*sqlplus* as sysdba*, /usr/bin/su
- oravis -c */*.env*perl */appsutil/clone/bin/ dbconfig*, /usr/bin/su
- oravis -c */*.env*perl */appsutil/scripts/*/ database*, /usr/bin/su
- oravis -c sed*sqlnet.ora*, /usr/bin/su - oravis -c */*.env*sqlplus apps*, /usr/bin/su
- oravis -c */*.env*; make -f *rdbms/lib/ dnfs_off*, /usr/bin/su
- oravis -c */*.env*; ln -s *, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/ps, /usr/bin/mkdir, /usr/bin/su
- oravis -c source* -dboraclehome* perl**, /usr/bin/su
- oravis -c */*.env*perl */appsutil/bin/ -contextfile*, /usr/bin/su
- oravis -c */*.env* mkdir -p*, /usr/bin/su
- oravis -c chmod 775 *dbs*, /usr/bin/su
- oravis -c chmod 6751 */bin/oracle*, /usr/bin/su
- oravis -c cp **, /usr/bin/su
- oravis -c chmod 755 */dlpx_force_autoflush*, /usr/bin/su
- oravis -c umask*touch *source_apps_file.txt, /usr/bin/su
- oravis -c mkdir -p*, /usr/bin/su
- oravis -c cp *pairsfile*, /usr/bin/su
- oravis -c *perl -mdlpx_force_autoflush */*, /usr/bin/su
- oravis -c *perl -mdlpx_force_autoflush */ dbtechstack*, /usr/bin/su
- oravis -c touch */.delphix_adpreclone.lck*, /usr/bin/su
- oravis -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su
- oravis -c chmod 755 *hooksUtil*, /usr/bin/su
- oravis -c set -o *hooksUtil*, /usr/bin/su
- oravis -c mkdir *hooksUtil*, /usr/bin/mkdir, /usr/bin/rmdir, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/pargs, /usr/bin/ps, /usr/bin/netstat
Entries required for provisioning via low privileged user (delphix_os) on target EBS AppsTier.
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su
- oravis -c echo *, /usr/bin/su
- oravis -c rm *.dlpx_run_edition*, /usr/bin/su
- oravis -c rm -f *dlpx_force_autoflush*, /usr/bin/su
- oravis -c cd *echo *dlpx_force_autoflush*, /usr/bin/su
- oravis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*, /usr/bin/su
- oravis -c */rsync*, /usr/bin/su - oravis -c test*mkdir*, /usr/bin/su
- oravis -c test*touch*chmod 750*cat*, /usr/bin/su
- oravis -c */EBS_kill/*, /usr/bin/su
- oravis -c rm -f */test_status.tmp*, /usr/bin/su
- oravis -c */*.env* sqlplus -s *apps*, /usr/bin/su
- oravis -c */*, /usr/bin/su
- oravis -c */*, /usr/bin/su
- oravis -c */*.env* cd **, /usr/bin/su
- oravis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./ AppsTier*, /usr/bin/su
- oravis -c *perl -mdlpx_force_autoflush */ addnode contextfile*pairsfile*outfile*, /usr/bin/su
- oravis -c **, /usr/bin/su
- oravis -c **, /usr/bin/su
- oravis -c **, /usr/bin/su
- oravis -c */*.env* cd *perl -mdlpx_force_autoflush ./*contextfile*action*updateAdminPassword*, /usr/bin/su
- oravis -c */bin/runInstaller -silent -detachHome*, /usr/bin/su
- oravis -c rm -rf */inst/apps/*, /usr/bin/su
- oravis -c rm -rf *FMW_Home*, /usr/bin/su
- oravis -c rm -rf *fs*, /usr/bin/su
- oravis -c find*exec rm -rf *, /usr/bin/su
- oravis -c cp */inst/apps/*appl/admin* */inst/apps/*, /usr/bin/su
- oravis -c */*EBSapps.env*perl */patch/115/bin/*contextfile*configoption*oacore*oafm*forms*formsc4ws*, /usr/bin/su
- oravis -c rsync -aH --delete --ignore-errors */EBSapps/ */EBSapps/*, /usr/bin/su
- oravis -c rm */serviceStartfile.tmp*, /usr/bin/su
- oravis -c rm -rf */change_apps_password*, /usr/bin/su
- oravis -c mkdir -p */change_apps_password*, /usr/bin/su
- oravis -c */*.env* run; cd */change_apps_password*/fnd/12.0.0/bin/FNDCPASS*apps*system*SYSTEM APPLSYS*, /usr/bin/su
- oravis -c */*.env* sqlplus *apps*, /usr/bin/su - oravis -c */*.env* rm -f */*cat */*, /usr/bin/su
- oravis -c */*.env*/*, /usr/bin/su - oravis -c */*.env* rm -f */*cat**, /usr/bin/su
- oravis -c */*.env* run; */wlserver_10.3/common/bin/ */*, /usr/bin/su
- oravis -c */*.env*; */wlserver_10.3/common/bin/ */*, /usr/bin/su
- oravis -c *lsof*, /usr/bin/su - oravis -c *sed *, /usr/bin/su
- oravis -c */*.env*;* status*, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/ps, /usr/bin/su
- oravis -c find*, /usr/bin/su - oravis -c cp **, /usr/bin/su
- oravis -c *perl -mdlpx_force_autoflush ./ AppsTier*, /usr/bin/su
- oravis -c cat**, /usr/bin/su
- oravis -c cat**, /usr/bin/su
- oravis -c mkdir -p */pairsdir*, /usr/bin/su
- oravis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush * AppsTier*, /usr/bin/su
- oravis -c mv *scratch_file* *, /usr/bin/su - oravis -c pmap -r*, /usr/bin/su
- oravis -c */*.env* patch; */wlserver_10.3/common/bin/ */*, /usr/bin/su
- oravis -c */*.env* run; */ status*, /usr/bin/su
- oravis -c set -o pipefail; cat*tee */.*_pairs.txt*, /usr/bin/su
- oravis -c chmod 755 */.*_pairs.txt*, /usr/bin/su
- oravis -c *perl -mdlpx_force_autoflush */*AppsTier*, /usr/bin/su
- oravis -c /usr/bin/netstat -an *, /usr/bin/mkdir, /usr/bin/rmdir, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/pargs, /usr/bin/ps, /usr/bin/netstat