Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to keep "root" out?

RE: How to keep "root" out?

From: Orr, Steve <sorr_at_rightnow.com>
Date: Thu, 28 Aug 2003 13:04:32 -0800
Message-ID: <F001.005CDCA5.20030828130432@fatcity.com>


By definition, root is all-powerful so if one is entrusted with all power then by extention, said person should be trustworthy. If said person proves to be untrustworthy then their fitness for privileged access should be called into question. If said person is not a "team player" with the DBA(s) then their trustworthiness is suspect.  

"Playing" with stuff outside one's normal realm may call this into
question but there is something to be said for an inquisitive desire to know how things work. Isn't that the nature of our business? If someone really is inquisitive about all things Oracle then you could suggest that they be sent to Oracle DBA training classes. Better yet, suggest a
"policy" that no one should not be allowed to touch Oracle unless they
are an OCP. Wow, for the first time I just thought of a good reason for the OCP program. :-)  

I have root access and at first I asked for it to be taken away but I've found myself needing it enough that I'm glad to have it. Part of the problem is that so much software unnecessarily requires root. Fortunately root.sh is all we normally have to do as root for most Oracle install stuff. I work in teamwork with a bunch of top notch SysAdmin pros and we use sudo as much as possible.  

Having a good team is key. Sometimes you can actually get damagers to help out with this kind of stuff. :-)    

Steve Orr    

-----Original Message-----
Sent: Thursday, August 28, 2003 10:20 AM To: Multiple recipients of list ORACLE-L

        Walter,          

            First question, why are they logging on as "root" in the first place. That is akin to logging into the database as sys all the time, namely something to be avoided at all cost.          

	Dick Goulet
	Senior Oracle DBA
	Oracle Certified 8i DBA 

		-----Original Message-----
		From: Walter K [mailto:ora1034_at_sbcglobal.net]
		Sent: Thursday, August 28, 2003 11:34 AM
		To: Multiple recipients of list ORACLE-L
		Subject: How to keep "root" out?
		
		
		Just for grins, I'll ask this question... Is there any
way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.                  

                We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?                  

                So, I'm curious, is there any way to prevent access via
"connect internal" or "/ as sysdba"?
                 

                Thanks in advance.                  

                W

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Orr, Steve
  INET: sorr_at_rightnow.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu Aug 28 2003 - 16:04:32 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US