Re: How can I secure 'internal' from root?

In article <Q1MQ1.483$1f.78339_at_news.tpnet.pl>, marckasp_at_friko6.onet.pl says...

>>The company I work for is looking for a way to lock the UNIX SA out of the
>>Oracle database. I can't stop them from su'ing to oracle, but can I get
>>svrmgrl to prompt for a password on internal ... like on NT systems? Can I
>>protect a password file from the SA too?

>Just a short opinion:
>1) you can not protect any Unix file so that it would be unaccessible by
>root
>2) even if you make svrmgrl to ask for a password, root can always
> - kill any processes he wants
> - read or delete any files he wants (including the database files)

I've had a long think about this and discussed it with some colleagues, and we all think it is impossible to protect the database from someone with root privileges, if they have got some idea of what you are doing.

I would say your only option is to sack the Unix SysAdmin and send the DBA on a Unix course (presumably difficult as the Unix SA has committed the heinous crime of being a union member). Relying on someones professional integrity is not an option in this case either?

I'd love to know the name of the company concerned so I can avoid applying for a job in an organisation that has such excellent relations with its staff.

Cheers
Martin

--
Martin Rapier, Database Administrator
Corporate Information & Computing Services. University of Sheffield Tel 0114 222 1137 The opinions expressed here may be those of my employer, or they may not. Received on Fri Oct 02 1998 - 10:28:09 CDT