Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i
On 25 Apr 2002 17:01:56 -0700, pgomeza_at_adinet.com.uy (Pablo Gomez)
wrote:
>Hello:
>
> I have a question about security in an Oracle database. As I know
>when your Unix user belongs to the group "dba" gives you the
>privileges sysdba or sysoper. Thus you can startup, shutdown the
>instance (and other tasks). It also lets you connect via "connect / as
>sysdba" without doing any security check by Oracle than that you
>belong to the "dba" group. In this way your are connection as Oracle
>user "sys" and then you get access to all the database objects
>(tables, views, ...).
>
> So I think that the Unix administrator of the server can give any
>Unix user the group "dba" (including root) and then connect and get
>access to the database. In this way I don't see separate rights with
>the Unix administrator and the Oracle administrator.
>
> Is this ok? Can I deny access to the Unix administrator, so he must
>have an Oracle user the access the database?
>
> Thanks in advance,
>
> Pablo Gomez
> Twins Informatica
> Montevideo/Uruguay
root by design can already do *everything* including rm-ing your
precious database files without even connecting ever to the database.
Apparently you don't trust the person(s) using the root account.
There are several remarks to this
- the fact someone is logging in with sysdba privilege is
automatically tracked in Oracle, not what he/she does
- you can easily disable all *direct* root access, ie disallow
everyone *logging in* as root, from all connections, *except* the
system console
- all su's to root are tracked by the O/S
- the ultimate solution of course is to have the person(s) you don't
trust punished and/or fired. However, no system can be managed without
putting trust in people.
Regards
Sybrand Bakker, Senior Oracle DBA
To reply remove -verwijderdit from my e-mail address Received on Thu Apr 25 2002 - 23:56:10 CDT