Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Rick Wessman <Rick.WessmanNO_SPAM_at_oracle.com>
Date: 29 Apr 2002 04:56:54 -0700
Message-ID: <aajce60c8t@drn.newsguy.com>


In article <3CCACCDF.A621E379_at_earthlink.net>, Sean says...
>
>Rick Wessman wrote:
>>
>> Here's a way that worked in 8i on Unix. I haven't tried it in 9i.
>>
>> 1. Select a non-existent group name, e.g. foobar123. Make sure that the sys
>> admin does not know what it is. Otherwise he will just create the entry in
>> /etc/group and add himself to the group.
>>2. When installing Oracle, use that group name for the OSDBA and OSOPER groups.
>>Once that's done, SYS will have to be authenticated using a password because the
>> underlying O/S user is not a member of the foobar123 group.
>
>Interesting, never thought of that one. But, as root, couldn't I just
>install my own version of Oracle in my own code tree with a known/valid
>OSDBA group and still get to the database? Or relink the existing
>version with different OSDBA and OSOPER groups? Or copy the database to
>a new host and open it there? Or, if really desperate, run strings on
>the datafiles and see all the data I care to? OK, I know I'm being a
>bit facetious, but I'm just trying to make the point to the original
>poster that root can do as root pleases, and the data isn't safe unless
>you trust root and/or encrypt. And this really doesn't have anything to
>do w/Oracle per se - at some point you need to trust people.
>
>Regards,
>Sean

You are correct that root could compromise the database no matter what. This technique just provides one more obstacle for an unscrupulous admin.

                                           Rick

                                Rick Wessman
                                Oracle Corporation

     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.
Received on Mon Apr 29 2002 - 06:56:54 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US