Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: root logging as internal

Re: root logging as internal

From: <anon_1_at_my-deja.com>
Date: 2000/04/05
Message-ID: <8cfd7k$mvg$1@nnrp1.deja.com>#1/1 






In article <38EA8BC1.16C9EC5C_at_workmail.com>,
  Johnny Chan <johnny.chan_at_workmail.com> wrote:


>

> I don't see how you can work around this "issue" or even if this is a

> really valid issue for Oracle.

>

> If someone has the root password on a UNIX box, that person can

 pretty much


> do anything he wants, which is why it is absolutely critical that a

 root


> password only be given to individuals you can trust.

>

> As exhibited below, a root user can assume the oracle id identity and

> create oracle id's. The root user can also start rm'ing your database

 files


> (doesn't even have to assume the oracle id to do so), in which case

 you're


> really, really hosed.

>




I'm not so much worried about rming (that would be a CTO - Career
Terminating Offense).  I'm more concerned about them doing subtle items
like creating their own ids, breaking dba standards, and doing things
that could slow down production while it's running - say something like
dbms_utility.analyze_database.  I do not want to have to clean up
behind them.



> Your issue is not really Oracle's but your SysAdmin's level of access

 and


> security. You might want to clamp down on how many people have root

> passwords or install sudo to provide more limited root abilities to a

> larger set of users, but prevent the ability to do certain commands

 (like


> su or rm).

>




Agreed - however (and I do not want this to turn into a flame war),
many of Oracle's competitors solve this by having the SA account
prompted for a password whenever you log in.  It would be impossible to
log in w/o knowing the password.  I was looking for a work around or a
similar feature.



> jc

>

> aanon_1_at_hotmail.com wrote:

>

> > Hello all,

> >

> > Hopefully there is a work around to this "issue".  However, so far I

> > have not been able to resolve it.

> >

> > Last week one of our UNIX admins took the liberty to log into Oracle

> > via the internal account and created himself a Oracle ID.  In

 essence


> > he did this

> >

> > $ su - oracle

> >

> > $ svrmgrl

> >

> > svrmgr > connect internal

> >

> > And he was off to the races.  Seeing that this is a gaping hole in

 our


> > security I tried a variety of items including using the orapwd

> > utility.  I ended up calling Oracle, and they said that since root

 is a


> > special account and can su to anything, they can log into Oracle as

> > they see fit.

> >

> > I'm having a tough time believing this.  So...

> >

> > 1) Is this true?

> > 2) If there is a work around could you pls post it.

> >

>

>





Sent via Deja.com http://www.deja.com/


Before you buy.
Received on Wed Apr 05 2000 - 00:00:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US