Re: root logging as internal

I don't see how you can work around this "issue" or even if this is a really valid issue for Oracle.

If someone has the root password on a UNIX box, that person can pretty much do anything he wants, which is why it is absolutely critical that a root password only be given to individuals you can trust.

As exhibited below, a root user can assume the oracle id identity and create oracle id's. The root user can also start rm'ing your database files (doesn't even have to assume the oracle id to do so), in which case you're really, really hosed.

Your issue is not really Oracle's but your SysAdmin's level of access and security. You might want to clamp down on how many people have root passwords or install sudo to provide more limited root abilities to a larger set of users, but prevent the ability to do certain commands (like su or rm).

jc

aanon_1_at_hotmail.com wrote:

> Hello all,
>
> Hopefully there is a work around to this "issue". However, so far I
> have not been able to resolve it.
>
> Last week one of our UNIX admins took the liberty to log into Oracle
> via the internal account and created himself a Oracle ID. In essence
> he did this
>
> $ su - oracle
>
> $ svrmgrl
>
> svrmgr > connect internal
>
> And he was off to the races. Seeing that this is a gaping hole in our
> security I tried a variety of items including using the orapwd
> utility. I ended up calling Oracle, and they said that since root is a
> special account and can su to anything, they can log into Oracle as
> they see fit.
>
> I'm having a tough time believing this. So...
>
> 1) Is this true?
> 2) If there is a work around could you pls post it.
>
Received on Tue Apr 04 2000 - 00:00:00 CDT