Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Rick Wessman <Rick.WessmanNO_SPAM_at_oracle.com>
Date: 27 Apr 2002 08:19:06 -0700
Message-ID: <aaefha02lc@drn.newsguy.com>


In article <3CCA2EA9.9902C913_at_exesolutions.com>, Daniel says...
>
>Sean M wrote:
>
>> Pablo Gomez wrote:
>> >
>> > Sybrand:
>> >
>> > Thanks for your response to my inquiry. I know that the root user can
>> > do everything, like deleting all data files, but one thing is making
>> > this attack to the database and another is accesing confidential
>> > information. I mean that the CEO of the enterprise trust in his
>> > unix/oracle administrator, but I don't think that he is happy of
>> > knowing that you can see all the information.
>>
>> So encrypt the data if it's that sensitive. Otherwise, you're outta
>> luck. If an admin has root on your box, she can do as she pleases.
>> Unless the data is encrypted (whether it's sitting in an Oracle
>> database, a flat file, Sybase, whatever), she can get to it, and there's
>> nothing you can do about it (save maybe running on a trusted OS/database
>> combo, if they even still exist?). It all comes down to trust. If you
>> don't trust the person w/root, encrypt the data. 'course then you have
>> to deal with key management, etc.
>>
>> Regards,
>> Sean
>
>Is there no way in Oracle to force a password entry for SYS if you su to
>oracle?
>
>Daniel Morgan

Here's a way that worked in 8i on Unix. I haven't tried it in 9i.

  1. Select a non-existent group name, e.g. foobar123. Make sure that the sys admin does not know what it is. Otherwise he will just create the entry in /etc/group and add himself to the group.
  2. When installing Oracle, use that group name for the OSDBA and OSOPER groups. Once that's done, SYS will have to be authenticated using a password because the underlying O/S user is not a member of the foobar123 group.
                                   Rick

>
                                Rick Wessman
                                Oracle Corporation

     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.
Received on Sat Apr 27 2002 - 10:19:06 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US