Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Sybrand Bakker <postbus_at_sybrandb.demon.nl>
Date: Fri, 26 Apr 2002 06:56:10 +0200
Message-ID: <73nhcug6q0jbogof3poa4vkl6poofgbs49@4ax.com>


On 25 Apr 2002 17:01:56 -0700, pgomeza_at_adinet.com.uy (Pablo Gomez) wrote:

>Hello:
>
> I have a question about security in an Oracle database. As I know
>when your Unix user belongs to the group "dba" gives you the
>privileges sysdba or sysoper. Thus you can startup, shutdown the
>instance (and other tasks). It also lets you connect via "connect / as
>sysdba" without doing any security check by Oracle than that you
>belong to the "dba" group. In this way your are connection as Oracle
>user "sys" and then you get access to all the database objects
>(tables, views, ...).
>
> So I think that the Unix administrator of the server can give any
>Unix user the group "dba" (including root) and then connect and get
>access to the database. In this way I don't see separate rights with
>the Unix administrator and the Oracle administrator.
>
> Is this ok? Can I deny access to the Unix administrator, so he must
>have an Oracle user the access the database?
>
> Thanks in advance,
>
> Pablo Gomez
> Twins Informatica
> Montevideo/Uruguay

root by design can already do *everything* including rm-ing your precious database files without even connecting ever to the database. Apparently you don't trust the person(s) using the root account. There are several remarks to this
- the fact someone is logging in with sysdba privilege is automatically tracked in Oracle, not what he/she does - you can easily disable all *direct* root access, ie disallow everyone *logging in* as root, from all connections, *except* the system console
- all su's to root are tracked by the O/S - the ultimate solution of course is to have the person(s) you don't trust punished and/or fired. However, no system can be managed without putting trust in people.

Regards

Sybrand Bakker, Senior Oracle DBA

To reply remove -verwijderdit from my e-mail address Received on Thu Apr 25 2002 - 23:56:10 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US