Re: Oracle Installation on Windows

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Wed, 11 Feb 2009 06:39:26 +0000
Message-ID: <7765c8970902102239r56245277ga9a6532188707c9c_at_mail.gmail.com>

There are a few rights that are given to LocalSystem that are not given to the Administrators group, for example the 'ACT AS PART OF THE OPERATING SYSTEM' right - you can see these in the local security policy control panel applet (though you can't see their assignment to LocalSystem.

However this should not affect the *install* so long as your domain account is directly a member of the *local* Administrators group - as opposed to Domain Admins (I can't now recall why that made a difference in the past and indeed it shouldn', but it did back in the 806/815 days). The only occasion that I'm aware of it making a difference is in the account that is used for executing OS jobs using EM where you need 4 rights

Log on as a batch job -- self explanatory Replace a process level token -- enables one service to start another act as part of the operating system -- enables impersonate any user Increase memory quota for a process -- self explanatory

I suspect that item 3, particularly given the ability to create em jobs via pl/sql and the ability to inject pl/sql into the db is a difficult to exploit but potentially extremely dangerous security loophole, and to be honest is a requirement that I don't understand. Arguably right 2 is inappropriate as well.

Anyway if you also *run* the Oracle database under a different account, as opposed to installing it under a different account then there *may* be similar uses of non-default rights, I've never come across them except in the EM case though.

On Tue, Feb 10, 2009 at 5:06 PM, William Wagman <wjwagman_at_ucdavis.edu>wrote:

> Greetings,
>
> I'm having a conversation with one of my co-workers re privileges, oracle
> and windows. I am working with Windows Server 2003, 64-bit and Oracle 10gR2.
> Our standard practice is to create an Oracle account which is a member of
> the local administrators group, essentially full administrative rights on
> the box. The Oracle installation is done while logged in as the Oracle user.
> In one situation I encountered problems and Oracle had me uninstall and then
> reinstall while connected as the local admin account. I just installed the
> January 2009 CPU on a windows box and something broke. I opened an SR with
> Oracle, we solved the problem but again the question arose as to whether the
> installation had been done as Oracle or the local admin account with the
> suggestion that it might be necessary to uninstall and reinstall while
> connected as the local admin account. I have done quite a number of
> installations as Oracle rather than the local admin account as well as
> upgrades and patching but t
> wice the question of who did the installation has arisen.
>
> My question, can someone explain why, if oracle is a member of the
> administrators group with full administrative rights on the box it would
> matter whether the installation is done as Oracle or the local admin
> account? Is there documentation available which might give me some more
> insight into this question?
>
> Thanks.
>
> Bill Wagman
> Univ. of California at Davis
> IET Campus Data Center
> wjwagman_at_ucdavis.edu
> (530) 754-6208
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Feb 11 2009 - 00:39:26 CST

This message: [ Message body ]
Next message: Laimutis.Nedzinskas_at_seb.lt: "EM Grid control with FQDN on Solaris"
Previous message: Syed Jaffar Hussain: "Re: RAC behavior - with Oracle JDBC Thin Driver - is this expected behavior?"
In reply to: William Wagman: "Oracle Installation on Windows"
Next in thread: Zelli, Brian: "Oracle on Windows"
Reply: Zelli, Brian: "Oracle on Windows"
Reply: William Wagman: "RE: Oracle Installation on Windows"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message