A recent discussion with a colleague has led me to investigate this topic. Oracle Installation Guides for UNIX reference assigning the primary group of ‘oinstall’.
From my investigation it appears like many others I have always used a UNIX account with its primary group assigned to ‘dba’ to install the Oracle software.
The best explanation I have found to date is from Linda Smith’s blog topic “To Oinstall or not to Oinstall. That is the question. (Oinstall vs DBA group on Linux/Unix Platforms)“.
“… the group membership prevents unauthorized access to the database by personnel who maintain the software, and it prevents the database administrators from making changes to the software and the installations inventory directory.”
As Linda explains, the use of the ‘oinstall’ would more likely apply when you have separate installation and database administration teams due to “government security mandates”. However, many organizations continue to use ‘dba’ as the primary group for the account that owns the installation software as well as administering the database.
In my current environment, I use a single UNIX account accessible to myself and my backup DBA. Technically so does my UNIX Admin, but the security risk is comfortably mitigated considering my circumstances. Understandably, this may not be the case for others in their environment setup.
In addition, this does not appear to create a functional problem or negate support from Oracle, so I will continue to request the ‘dba’ group be assigned as the primary group to my Oracle UNIX account.
Further evaluation of this choice from a security perspective will be taken into consideration should the appropriate requirement arise in the future.