Re: root logging as internal

anon_1_at_my-deja.com wrote:
>
> In article <38EA8BC1.16C9EC5C_at_workmail.com>,
> Johnny Chan <johnny.chan_at_workmail.com> wrote:
> >
> > I don't see how you can work around this "issue" or even if this is a
> > really valid issue for Oracle.
> >
> > If someone has the root password on a UNIX box, that person can
 pretty much
> > do anything he wants, which is why it is absolutely critical that a
 root
> > password only be given to individuals you can trust.
> >
> > As exhibited below, a root user can assume the oracle id identity and
> > create oracle id's. The root user can also start rm'ing your database
 files
> > (doesn't even have to assume the oracle id to do so), in which case
 you're
> > really, really hosed.
> >
>
> I'm not so much worried about rming (that would be a CTO - Career
> Terminating Offense). I'm more concerned about them doing subtle items
> like creating their own ids, breaking dba standards, and doing things
> that could slow down production while it's running - say something like
> dbms_utility.analyze_database. I do not want to have to clean up
> behind them.
>
> > Your issue is not really Oracle's but your SysAdmin's level of access
 and
> > security. You might want to clamp down on how many people have root
> > passwords or install sudo to provide more limited root abilities to a
> > larger set of users, but prevent the ability to do certain commands
 (like
> > su or rm).
> >
>
> Agreed - however (and I do not want this to turn into a flame war),
> many of Oracle's competitors solve this by having the SA account
> prompted for a password whenever you log in. It would be impossible to
> log in w/o knowing the password. I was looking for a work around or a
> similar feature.
>
> > jc
> >
> > aanon_1_at_hotmail.com wrote:
> >
> > > Hello all,
> > >
> > > Hopefully there is a work around to this "issue". However, so far I
> > > have not been able to resolve it.
> > >
> > > Last week one of our UNIX admins took the liberty to log into Oracle
> > > via the internal account and created himself a Oracle ID. In
 essence
> > > he did this
> > >
> > > $ su - oracle
> > >
> > > $ svrmgrl
> > >
> > > svrmgr > connect internal
> > >
> > > And he was off to the races. Seeing that this is a gaping hole in
 our
> > > security I tried a variety of items including using the orapwd
> > > utility. I ended up calling Oracle, and they said that since root
 is a
> > > special account and can su to anything, they can log into Oracle as
> > > they see fit.
> > >
> > > I'm having a tough time believing this. So...
> > >
> > > 1) Is this true?
> > > 2) If there is a work around could you pls post it.
> > >
> >
> >
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.

You can set up Oracle to prompt for a password for when CONNECT INTERNAL is issued, but this can be circumvented by a root user with a little Oracle smarts.

HTH

-- 
===========================================
Connor McDonald
http://www.oracledba.co.uk

We are born naked, wet and hungry...then things get worse