Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Sean M <smckeown_at_earthlink.net>
Date: Sat, 27 Apr 2002 16:08:12 GMT
Message-ID: <3CCACCDF.A621E379@earthlink.net>


Rick Wessman wrote:
>
> Here's a way that worked in 8i on Unix. I haven't tried it in 9i.
>
> 1. Select a non-existent group name, e.g. foobar123. Make sure that the sys
> admin does not know what it is. Otherwise he will just create the entry in
> /etc/group and add himself to the group.
> 2. When installing Oracle, use that group name for the OSDBA and OSOPER groups.
> Once that's done, SYS will have to be authenticated using a password because the
> underlying O/S user is not a member of the foobar123 group.

Interesting, never thought of that one. But, as root, couldn't I just install my own version of Oracle in my own code tree with a known/valid OSDBA group and still get to the database? Or relink the existing version with different OSDBA and OSOPER groups? Or copy the database to a new host and open it there? Or, if really desperate, run strings on the datafiles and see all the data I care to? OK, I know I'm being a bit facetious, but I'm just trying to make the point to the original poster that root can do as root pleases, and the data isn't safe unless you trust root and/or encrypt. And this really doesn't have anything to do w/Oracle per se - at some point you need to trust people.

Regards,
Sean Received on Sat Apr 27 2002 - 11:08:12 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US