RE: Fw: OT - Getting fired for database oops
From: Tanel Poder <tanel_at_poderc.com>
Date: Wed, 27 May 2009 15:28:19 +0300
Message-ID: <C49E2A8B36BE40809C7976D97B918A16_at_porgand>
Well the root ownership doesn't prevent you from renaming the original sqlplus/admin directory to something else and cloning that directory back using cp -rp, which would lose the root ownership bit.
Date: Wed, 27 May 2009 15:28:19 +0300
Message-ID: <C49E2A8B36BE40809C7976D97B918A16_at_porgand>
Well the root ownership doesn't prevent you from renaming the original sqlplus/admin directory to something else and cloning that directory back using cp -rp, which would lose the root ownership bit.
If you set the whole tree as owned by root - then you can just clone your whole directory to /tmp and run from there.
Also there are other tricks like using LD_PRELOAD env variable to redirect some file opens to your custom files without the application knowing about it.
So the setting the root ownership wouldn't be a secure solution, it would be "security by obscurity" at most.
-- Regards, Tanel Poder http://blog.tanelpoder.comReceived on Wed May 27 2009 - 07:28:19 CDT
> > my favourite would be a preventive control, one which
> simply does not
> > allow oracle user to change glogin.sql just like that. A
> drastic but
> > effective implementation is to chown root glogin.sql and
> make it read
> > only by oracle user (and the world). This would be
> acceptable because
> > you do not update this file often, only sqlplus reads it every time
>
>
> Good idea, and applicable to a lot of others as well.
> Thanks!
>
> --
> Cheers
> Nuno Souto
> in rainy Sydney, Australia
> dbvision_at_iinet.net.au
> --
> http://www.freelists.org/webpage/oracle-l
>
>
-- http://www.freelists.org/webpage/oracle-l