Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle OS level security

RE: Oracle OS level security

From: Stephen Lee <slee_at_dollar.com>
Date: Wed, 27 Nov 2002 08:40:23 -0800
Message-ID: <F001.0050DB92.20021127084023@fatcity.com> 






My experience with NT security in an environment of any significant size is
that it is a hopeless situation.  In addition to dealing with admins on the
box with the database, it seems that there is always an application support
person or two that needs to administrator privs on that box too.  Then there
are the people that support multiple boxes, so they get domain admin privs.



I set the privs on Oracle files so that any administrator would at least
have to take ownership of the files  in order to delete them.  Following
strict file and directory naming conventions and teaching everyone to
recognize sacred file name patterns helps.  We even had certain drive
letters throughout the domain that were reserved for Oracle stuff so that
people would know which drive letters were danger zones.



With all this in place, the only problems we experienced were due to the
flakey disk clustering that the admins were using.  File systems (or the NT
equivalent thereof) had a habit of getting unmounted, and Oracle seems to
take offense at files suddenly disappearing.



I wasn't all that worried about people going in and deleting files.  My
biggest worry was that we automate a lot of jobs and a lot of monitoring
with scripts.  Some of these require information, (such as passwords) be put
into files; files that I can't protect on NT.  I never had a big problem
with admins being administrator (or root on Unix), but on NT it seems that
there are always people from development, or people from some department up
on 10th floor, that "need" administrator on the box too in order to support
some app.  So now you have developers and people you don't even know about
that, if they chose to do so, can go nosing around in your stuff.


-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Stephen Lee


  INET: slee_at_dollar.com


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Nov 27 2002 - 10:40:23 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US