Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to keep "root" out?

RE: How to keep "root" out?

From: Ari Kaplan <ari.kaplan_at_xb.com>
Date: Tue, 02 Sep 2003 11:14:40 -0800
Message-ID: <F001.005CE8BA.20030902111440@fatcity.com>


If you somehow prevent the specific "root" account out, can't the sysadmin still do an "su - oracle" and then get in as sysdba under the "oracle" account?

-Ari

-----Original Message-----
Jared Still
Sent: Thursday, August 28, 2003 8:14 PM
To: Multiple recipients of list ORACLE-L

The security model of Oracle on both unix and Windows precludes any ability to prevent access to the database by a knowledgeable user with root or admin access.

Pete Sharman could no doubt go into some detail here.

I bought his security book, I'll check it out when I get to work.

Could be there's something I've overlooked. :)

Jared

On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> Walter
> You may be able to approach this from a security aspect. You could
> discuss with your management whether it is a good idea for the system
> administrators to be in a database. Depending on the security or SLA
> requirements of the database, you may have some leverage there.
>
>
>
> Dennis Williams
> DBA, 80%OCP, 100% DBA
> Lifetouch, Inc.
> dwilliams_at_lifetouch.com
>
> -----Original Message-----
> Sent: Thursday, August 28, 2003 11:10 AM
> To: Multiple recipients of list ORACLE-L
>
>
> Well, first of all, root should not be in your dba group...
>
> -----Original Message-----
> Sent: Thursday, August 28, 2003 8:34 AM
> To: Multiple recipients of list ORACLE-L
>
>
> Just for grins, I'll ask this question... Is there any way to keep the
Unix
> "root" user from logging into the database (i.e. connect internal or / as
> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>
> We have a couple people in our Unix admin group that feel the need to
"help"
> by writing their own DB monitoring scripts. Of course, they don't know
what
> they're talking about. They do not have formal logins for the database,
but
> since they are root users they are connecting via "connect internal". This
> is not only counterproductive but actually a potential security
issue--just
> because someone has root doesn't necessarily entitle them to see the data
in
> the database. What if it is a payroll database?
>
> So, I'm curious, is there any way to prevent access via "connect internal"
> or "/ as sysdba"?
>
> Thanks in advance.
>
> W
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: DENNIS WILLIAMS
> INET: DWILLIAMS_at_LIFETOUCH.COM
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Ari Kaplan
  INET: ari.kaplan_at_xb.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Tue Sep 02 2003 - 14:14:40 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US