RE: DBAs running root.sh
Date: Mon, 3 Feb 2014 12:08:12 -0700
Message-ID: <36800EC4761690448F1B444A1AEF44BB0E51E4A5_at_EXMBXC5.crha.bewell.ca>
I agree that pretty much ANYONE can do malicious or harmful things with whatever access level they have, if they put their mind to it. I find it strange, and disturbing, that everyone is discussing technical ways to prevent people from doing their jobs efficiently by making it more difficult to do what they need to do, by adding in various layers of "security" (using the word security as a euphemism for distrust).
IMO it is a VERY bad thing to build or foster an atmosphere of paranoia/fear/suspicion/distrust within your organization period, never mind within your own IT department/section/team/group.
The purpose of security is: (1) to keep outsiders out and (2) to prevent users with lesser knowledge levels from doing potentially dangerous and/or harmful things that they shouldn't be reasonably doing as part of their job duties.
Distrusting your users or IT people shouldn't be part of security at all.
This means that a DBA should reasonably have access to execute commands as root, since the need to do so is a regular part of their job duties. Requiring a DBA to wait to get permission/approval/clearance on a regular basis to do things that are reasonably part of his/her job is ridiculous security overkill - paranoia gone wild. A good DBA will make sure that they can do what they need to do without adversely impacting others, such as scheduling downtime or whatever.
If you don't trust your DBA, then either get rid of him/her and get one you DO trust, or get rid of the atmosphere of distrust in your organization. After all, there is no particular reason that a DBA should be any less trustworthy than a SA, providing they know what they are doing.
My opinion above may not be very popular, but that's OK. :)
Cheers, - Bill.
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Austin Hackett
Sent: Monday, February 03, 2014 11:05 AM
To: Niall Litchfield
Cc: Amaral, Rui; oracle-l digest users
Subject: Re: DBAs running root.sh
Thanks Niall.
Yes, the SA concern is that someone with access to the oracle OS account (DBA or attacker) can add arbitrary commands of their choosing to root.sh and run them as root.
I totally agree with you - a DBA or attacker with "oracle" access on a DB server can do some pretty serious damage without resorting to edits on root.sh!
On 3 Feb 2014, at 17:42, Niall Litchfield <niall.litchfield_at_gmail.com> wrote:
> I think the SA's argument is this.
>
> root.sh is an executable shell script owned by oracle and therefore modifiable by oracle - a non-privileged user could therefore use root.sh as an attack vector against the server. This is, as far as I can tell, correct. Whether it is any more of a threat than the dba being able to run arbitrary code with the privileges that the oracle account has seems unlikely to me. I'd probably suggest a round table meeting between the O/S, DBA and Security subject matter experts to agree a solution..
>
> As the scripts generated contain the ORACLE_HOME path in them I think the suggested approach likely to be problematic, clearly one could edit root.sh (and all the scripts that it calls nowadays) to take, say, $ORACLE_HOME as an argument and then have an authorized central repository of them, good luck with the support ticket when something is missed though.
>
> Interesting question Austin.
>
-- http://www.freelists.org/webpage/oracle-l This message and any attached documents are only for the use of the intended recipient(s), are confidential and may contain privileged information. Any unauthorized review, use, retransmission, or other disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately, and then delete the original message. Thank you. -- http://www.freelists.org/webpage/oracle-lReceived on Mon Feb 03 2014 - 20:08:12 CET