Re: How to keep "root" out?

>Put the following code snippet
> "if [ "$LOGNAME" = "root" ];
> then init 0
> fi;
> in your oraenv. I guarantee you that the SA will no longer be
connecting >as SYSDBA.

May be it will happen once. A smart SA will suppress it next time. OR he/she can always create another OS account with id = 0,gid (root) and then use that subsequently while trying to use oracle OR log in as 'x' which is a non root account and then su root, followed by cd $ORACLE_HOME, source .profile/oraenv, get going.

GovindanK

> MessageBetter yet, put the following lines
>
> echo ORA-600 [kgfdjjks] [scdcsc] [dssdcdcsdc] [45] [999] Unauthorized root
> access
>
> then print some garbage into a file named like the regular trace files in
> user_dump_dest directory. Open up a iTAR and show this "trace" file to
> your SA's manager, along with the TAR number. Let the fun begin.
> ----- Original Message -----
> From: Mladen Gogala
> To: Multiple recipients of list ORACLE-L
> Sent: Thursday, August 28, 2003 1:04 PM
> Subject: RE: How to keep "root" out?
>
>
> Put the following code snippet
>
> "if [ "$LOGNAME" = "root" ];
> then init 0
> fi;
>
> in your oraenv. I guarantee you that the SA will no longer be connecting
> as SYSDBA.
>
>
> --
> Mladen Gogala
> Oracle DBA
>
> -----Original Message-----
> From: ml-errors_at_fatcity.com [mailto:ml-errors_at_fatcity.com] On Behalf
> Of Walter K
> Sent: Thursday, August 28, 2003 11:34 AM
> To: Multiple recipients of list ORACLE-L
> Subject: How to keep "root" out?
>
>
> Just for grins, I'll ask this question... Is there any way to keep the
> Unix "root" user from logging into the database (i.e. connect internal
> or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>
> We have a couple people in our Unix admin group that feel the need to
> "help" by writing their own DB monitoring scripts. Of course, they
> don't know what they're talking about. They do not have formal logins
> for the database, but since they are root users they are connecting
> via "connect internal". This is not only counterproductive but
> actually a potential security issue--just because someone has root
> doesn't necessarily entitle them to see the data in the database. What
> if it is a payroll database?
>
> So, I'm curious, is there any way to prevent access via "connect
> internal" or "/ as sysdba"?
>
> Thanks in advance.
>
> W
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Corniche Park
  INET: cornichepark_at_cwazy.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).