Oxnard wrote:
> "EdStevens" <quetico_man_at_yahoo.com> wrote in message
> news:1187976674.337926.228510_at_r23g2000prd.googlegroups.com...
>> On advice last week, I have downloaded the "Project Lockdown" document
>> and begun reviewing it. I get a very uneasy feeling about his
>> suggestion to remove the SUID bit from the Oracle executables.
>> Searching through this ng I find a lot of issues stemming from not
>> leaving the file permissions just as they are created when following
>> installation instructions to the letter.
>>
>> It seems to me this could cause a lot of nagging problems. It also
>> seems that if your ORACLE_HOME is on a box where issuance of os user
>> accounts is limited to DBAs and SAs the ability to exploit the SUID
>> would be extremely limited.
>>
>> Am I missing something?
>>
>
> Seems that in general if the DBA/SA wants to steal data the SU bit is not
> really going to stop them as they already pretty much have the keys to the
> kingdom.
Not if the system is set up properly. Any organization where the DBA has
root privileges needs a security audit. And yes there are organizations
so small that one person is both but that is hardly the normal Oracle shop.
--
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org
Received on Sun Aug 26 2007 - 12:52:43 CDT
