Re: Anyway to allow root to 'sqlplus / as sysdba'??

Well, to monitor over 2000 instances. We use PowerBroker and a few other auditing tracking impementations. Our problem stems from some stuff that uses raw socket I/O. Believe me, I have been wrwiting software for 15 years, I have tried all the usual work-arounds. Denying root access was hard-coded in oracle 7.x/8x/9.x but I thought I read were oracle was changing this. (maybe with 11)

And letting root have sqlplus access is no more dangerous than letting the oracle user, since everything is owned by oracle, that user can be just as damaging. (after all, this is UNIX) It boils down to writing secure robust code. If your security policy revolves around simply not letting root use splus directly, you have bigger problems to worry about. Otherwise why is this allowed:

/sbin/su - oracle -c /path/to/my/script/that/drops/all/SYS/objects

Or this:

/sbin/su - oracle -c /tmp/script_that_deletes_a_datafile

How are those more secure?

Furthermore, why can root login interactively with a password?

The only issue here is how raw socket I/O is handled on pseudo tty's. What we are trying to do is actually _more_ secure than the /sbin/su method.

And I highly recommend you take remedial security. Unless you wanna post some arguments to your claim. Received on Thu Nov 24 2005 - 08:24:49 CST