When checking the file system Layout on my last blog post Oracle DbNest file system isolation : pivot root/ bind mount something caught my attention. So even if in oracle 20C read only oracle home is the way to go by default and DbNest is there to provide file system isolation (beside many other things) the oracle home is not mounted read only by default (DBNEST_PDB_FS_CONF not set) in the new nest mount namespace !

Which is curious because a malicious user on a compromised PDB can exploit that and impact the hole environment.

By the way, your oracle home don’t need to be on separate file system to be mounted read only nor do you need DbNest for that (Even if it seem not supported to have it RO without DbNest) . Using Bind mount we can easily mount our oracle home read only in our root mount namespace (that mean without DbNest) in only one step . It’s as easy as :

Here we are bind mounting the oracle home directory to itself and we added the ro mount option. The PDB nest will keep those mount option when created :

I think that it could be interesting to have a script to unlock/lock our read only ORACLE_HOME that will switch it from read only to read write if needed ( Patching for example) that will bring better security and control. But for oracle DbNest i think that the ORACLE_HOME MUST be in read only mode in the default filesystem layout ! I hope that this will be the case in GA release.

That’s it 🙂