Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to keep "root" out?

RE: How to keep "root" out?

From: Jared Still <jkstill_at_cybcon.com>
Date: Tue, 02 Sep 2003 22:04:26 -0800
Message-ID: <F001.005CE8E9.20030902220426@fatcity.com>

Yes, that is correct.

There is no way to keep root out of the database without label security. Since I don't know how that works, please don't ask me to explain. :)

Jared

On Tue, 2003-09-02 at 12:14, Ari Kaplan wrote:
> If you somehow prevent the specific "root" account out, can't the sysadmin
> still do an "su - oracle" and then get in as sysdba under the "oracle"
> account?
>
> -Ari
>
> -----Original Message-----
> Jared Still
> Sent: Thursday, August 28, 2003 8:14 PM
> To: Multiple recipients of list ORACLE-L
>
>
> The security model of Oracle on both unix and Windows
> precludes any ability to prevent access to the database
> by a knowledgeable user with root or admin access.
>
> Pete Sharman could no doubt go into some detail here.
>
> I bought his security book, I'll check it out when I get to work.
>
> Could be there's something I've overlooked. :)
>
> Jared
>
> On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> > Walter
> > You may be able to approach this from a security aspect. You could
> > discuss with your management whether it is a good idea for the system
> > administrators to be in a database. Depending on the security or SLA
> > requirements of the database, you may have some leverage there.
> >
> >
> >
> > Dennis Williams
> > DBA, 80%OCP, 100% DBA
> > Lifetouch, Inc.
> > dwilliams_at_lifetouch.com
> >
> > -----Original Message-----
> > Sent: Thursday, August 28, 2003 11:10 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Well, first of all, root should not be in your dba group...
> >
> > -----Original Message-----
> > Sent: Thursday, August 28, 2003 8:34 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Just for grins, I'll ask this question... Is there any way to keep the
> Unix
> > "root" user from logging into the database (i.e. connect internal or / as
> > sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
> >
> > We have a couple people in our Unix admin group that feel the need to
> "help"
> > by writing their own DB monitoring scripts. Of course, they don't know
> what
> > they're talking about. They do not have formal logins for the database,
> but
> > since they are root users they are connecting via "connect internal". This
> > is not only counterproductive but actually a potential security
> issue--just
> > because someone has root doesn't necessarily entitle them to see the data
> in
> > the database. What if it is a payroll database?
> >
> > So, I'm curious, is there any way to prevent access via "connect internal"
> > or "/ as sysdba"?
> >
> > Thanks in advance.
> >
> > W
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: DENNIS WILLIAMS
> > INET: DWILLIAMS_at_LIFETOUCH.COM
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting services
> > ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Jared Still
> INET: jkstill_at_cybcon.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Ari Kaplan
> INET: ari.kaplan_at_xb.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Sep 03 2003 - 01:04:26 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US