Re: Security issue with Oracle 8i

Rick Wessman wrote:

> In article <3CCACCDF.A621E379_at_earthlink.net>, Sean says...
> >
> >Rick Wessman wrote:
> >>
> >> Here's a way that worked in 8i on Unix. I haven't tried it in 9i.
> >>
> >> 1. Select a non-existent group name, e.g. foobar123. Make sure that the sys
> >> admin does not know what it is. Otherwise he will just create the entry in
> >> /etc/group and add himself to the group.
> >>2. When installing Oracle, use that group name for the OSDBA and OSOPER groups.
> >>Once that's done, SYS will have to be authenticated using a password because the
> >> underlying O/S user is not a member of the foobar123 group.
> >
> >Interesting, never thought of that one. But, as root, couldn't I just
> >install my own version of Oracle in my own code tree with a known/valid
> >OSDBA group and still get to the database? Or relink the existing
> >version with different OSDBA and OSOPER groups? Or copy the database to
> >a new host and open it there? Or, if really desperate, run strings on
> >the datafiles and see all the data I care to? OK, I know I'm being a
> >bit facetious, but I'm just trying to make the point to the original
> >poster that root can do as root pleases, and the data isn't safe unless
> >you trust root and/or encrypt. And this really doesn't have anything to
> >do w/Oracle per se - at some point you need to trust people.
> >
> >Regards,
> >Sean
> You are correct that root could compromise the database no matter what. This
> technique just provides one more obstacle for an unscrupulous admin.
>
> Rick
>
> Rick Wessman
> Oracle Corporation
>
> The opinions expressed above are mine and do not necessarily reflect
> those of Oracle Corporation.

Thank you Rick. The solution is brilliant. Primarily because I can't think of a single sysadmin (no disparagement intended) who would care enough to look for a workaround. They would just assume it was the way Oracle worked ... always asking for a password they didn't have.

Daniel Morgan Received on Mon Apr 29 2002 - 11:17:08 CDT