Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: root logging as internal

Re: root logging as internal

From: <anon_1_at_my-deja.com>
Date: 2000/04/05
Message-ID: <8cfd7k$mvg$1@nnrp1.deja.com>#1/1

In article <38EA8BC1.16C9EC5C_at_workmail.com>,   Johnny Chan <johnny.chan_at_workmail.com> wrote:
>
> I don't see how you can work around this "issue" or even if this is a
> really valid issue for Oracle.
>
> If someone has the root password on a UNIX box, that person can
 pretty much
> do anything he wants, which is why it is absolutely critical that a
 root
> password only be given to individuals you can trust.
>
> As exhibited below, a root user can assume the oracle id identity and
> create oracle id's. The root user can also start rm'ing your database
 files
> (doesn't even have to assume the oracle id to do so), in which case
 you're
> really, really hosed.
>

I'm not so much worried about rming (that would be a CTO - Career Terminating Offense). I'm more concerned about them doing subtle items like creating their own ids, breaking dba standards, and doing things that could slow down production while it's running - say something like dbms_utility.analyze_database. I do not want to have to clean up behind them.

> Your issue is not really Oracle's but your SysAdmin's level of access
 and
> security. You might want to clamp down on how many people have root
> passwords or install sudo to provide more limited root abilities to a
> larger set of users, but prevent the ability to do certain commands
 (like
> su or rm).
>

Agreed - however (and I do not want this to turn into a flame war), many of Oracle's competitors solve this by having the SA account prompted for a password whenever you log in. It would be impossible to log in w/o knowing the password. I was looking for a work around or a similar feature.

> jc
>
> aanon_1_at_hotmail.com wrote:
>
> > Hello all,
> >
> > Hopefully there is a work around to this "issue". However, so far I
> > have not been able to resolve it.
> >
> > Last week one of our UNIX admins took the liberty to log into Oracle
> > via the internal account and created himself a Oracle ID. In
 essence
> > he did this
> >
> > $ su - oracle
> >
> > $ svrmgrl
> >
> > svrmgr > connect internal
> >
> > And he was off to the races. Seeing that this is a gaping hole in
 our
> > security I tried a variety of items including using the orapwd
> > utility. I ended up calling Oracle, and they said that since root
 is a
> > special account and can su to anything, they can log into Oracle as
> > they see fit.
> >
> > I'm having a tough time believing this. So...
> >
> > 1) Is this true?
> > 2) If there is a work around could you pls post it.
> >
>
>

Sent via Deja.com http://www.deja.com/
Before you buy. Received on Wed Apr 05 2000 - 00:00:00 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US