Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Prevent Root access from database
PhilB schrieb:
> You can still connect to the db and start it up using a password file
> rather than connecting using OS authentication, but the key thing is it
> forces you to enter the password.
>
> True, root could still create the groups. We could remove the config.s
> file as once oracle is relinked its no longer required, so then the
> groups would have to be guessed at, but this brings us back to my
> original point about root being able to do pretty much anything - the
> solution is still flawed.
>
Also, root can easily create new password file (of course, orapwd
utility can be removed from your system as well, but it is not the issue
to copy it from another host), to gain unauthorized access to the
database. The main idea seems to be for me very like as to restrict dba
to access the database. I think, the starting point is completely wrong
- not the system account root should be restricted ( or you buy a risk
to loose a big degree of functionality in your system ), only access to
this system accont should be restricted ( for those purposes some
strategies can be implemented - radius, kerberos or even disable the
remote access and let the key from server room be keeped by CEO, so he
can personally take any kind of system maintenance ).
Paranoia is not so wrong in some cases, but at certain point you must
recognize, that you should trust somebody ( at least until you don't
have 100% selfmanaged systems ).
Of course, all said above is only my personal opinion...
Best regards
Maxim Received on Mon Jul 25 2005 - 10:21:00 CDT