Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to keep "root" out?

RE: How to keep "root" out?

From: Jared Still <jkstill_at_cybcon.com>
Date: Tue, 02 Sep 2003 22:04:26 -0800
Message-ID: <F001.005CE8E9.20030902220426@fatcity.com> 






Yes, that is correct.



There is no way to keep root out of the database without
label security.  Since I don't know how that works, please
don't ask me to explain.  :)



Jared



On Tue, 2003-09-02 at 12:14, Ari Kaplan wrote:


> If you somehow prevent the specific "root" account out, can't the sysadmin

> still do an "su - oracle" and then get in as sysdba under the "oracle"

> account?

> 

> -Ari

> 

> -----Original Message-----

> Jared Still

> Sent: Thursday, August 28, 2003 8:14 PM

> To: Multiple recipients of list ORACLE-L

> 

> 

> The security model of Oracle on both unix and Windows

> precludes any ability to prevent access to the database

> by a knowledgeable user with root or admin access.

> 

> Pete Sharman could no doubt go into some detail here.

> 

> I bought his security book, I'll check it out when I get to work.

> 

> Could be there's something I've overlooked.  :)

> 

> Jared

> 

> On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:

> > Walter

> >    You may be able to approach this from a security aspect. You could

> > discuss with your management whether it is a good idea for the system

> > administrators to be in a database. Depending on the security or SLA

> > requirements of the database, you may have some leverage there.

> >

> >

> >

> > Dennis Williams

> > DBA, 80%OCP, 100% DBA


> > Lifetouch, Inc.

> > dwilliams_at_lifetouch.com

> >

> > -----Original Message-----

> > Sent: Thursday, August 28, 2003 11:10 AM

> > To: Multiple recipients of list ORACLE-L

> >

> >

> > Well, first of all, root should not be in your dba group...

> >

> > -----Original Message-----

> > Sent: Thursday, August 28, 2003 8:34 AM

> > To: Multiple recipients of list ORACLE-L

> >

> >

> > Just for grins, I'll ask this question... Is there any way to keep the

> Unix

> > "root" user from logging into the database (i.e. connect internal or / as

> > sysdba)? Currently using 8.1.7.4 on Solaris 8 here.

> >

> > We have a couple people in our Unix admin group that feel the need to

> "help"

> > by writing their own DB monitoring scripts. Of course, they don't know

> what

> > they're talking about. They do not have formal logins for the database,

> but

> > since they are root users they are connecting via "connect internal". This

> > is not only counterproductive but actually a potential security

> issue--just

> > because someone has root doesn't necessarily entitle them to see the data

> in

> > the database. What if it is a payroll database?

> >

> > So, I'm curious, is there any way to prevent access via "connect internal"

> > or "/ as sysdba"?

> >

> > Thanks in advance.

> >

> > W

> >

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > --

> > Author: DENNIS WILLIAMS

> >   INET: DWILLIAMS_at_LIFETOUCH.COM


> >

> > Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> > San Diego, California        -- Mailing list and web hosting services

> > ---------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> 

> 

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> --

> Author: Jared Still

>   INET: jkstill_at_cybcon.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Ari Kaplan

>   INET: ari.kaplan_at_xb.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed Sep 03 2003 - 01:04:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US