Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: file permission problem - 10g client on solaris

Re: file permission problem - 10g client on solaris

From: DA Morgan <damorgan_at_psoug.org>
Date: Mon, 23 Jul 2007 06:45:03 -0700
Message-ID: <1185198304.8312@bubbleator.drizzle.com> 





sybrandb wrote:


> On Jul 23, 2:09 am, DA Morgan <damor..._at_psoug.org> wrote:


>> sybra..._at_hccnet.nl wrote:
>>> On Sun, 22 Jul 2007 07:58:35 -0700, DA Morgan <damor..._at_psoug.org>
>>> wrote:
>>>> There is no reason anyone anyone other than the unix user oracle should
>>>> be directly accessing executables on the server unless the object is to
>>>> compromise system security and render any reasonable interpretation of
>>>> auditing moot.
>>> Actually it is just the opposite. Forcing Unix users to use oracle or
>>> to su to oracle  poses a security risk. We had an issue once where
>>> 'someone' deleted the passwordfile and the init.ora of several
>>> databases. Only the unix user oracle could access the database.
>>> *Everyone* knew the password.
>> My point exactly. There are only two people who should ever be able to
>> access an Oracle server ... the operating system SA and the DBA. Thus
>> no one else needs access to anything on the machine except via SQL*NET
>> or a secure and tested interface.
>>
>> If an organization is sloppy with respect to who has the userid/pwd
>> for either the root or oracle then they deserve what they get. Changing
>> permission of operating system files will not save anyone from flagrant
>> stupidity: Firing those that share passwords will.
>> --
>> Daniel A. Morgan
>> University of Washington
>> damor..._at_x.washington.edu (replace x with u to respond)
>> Puget Sound Oracle Users Groupwww.psoug.org




> 

> You are still not getting it. Is it my English? What I'm trying to

> explain is there are situations where multiple administrators are

> unavoidable (one reason for that is that no one works 7 x 24).

> Using the oracle account for normal administration is dangerous and

> even Oracle warns against this in the documentation. The obvious

> reason for this is the oracle account is, *without* changing any

> permission, capable of deleting any oracle file.

> This is why you shouldn't use oracle to administer the database, and

> you definitely shouldn't allow telnet or ssh access to oracle.

> Preferably you shouldn't allow everyone to su to oracle. Yet in my

> situation this is unavoidable. Because if I don't allow this I will

> need to maintain the system 365 (or 366) times 7 times 24 hours per

> year.

> As SYSDBA operations are audited, it is actually advantageous to have

> multiple accounts: it allows you to put blame.

> 

> 

> --

> Sybrand Bakker

> Senior Oracle DBA




Your English is excellent and yet we are still not quite connecting.



I agree that multiple administrators are the rule not the exception.
But I can administer Oracle, think 10g now where the new security is
being enforced, using multiple DBA accounts and with tools such as
DBMS_SCHEDULER, OEM Grid, very rare that anyone needs to log on as
Oracle.



In fact sitting here, an admittedly it is only 6:40am and I just woke
up I am trying to come up with a list of regular tasks, not exceptions,
where I would ever need the unix oracle account login. Not coming up
with one. Maybe when I wake up more. <g>

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org


Received on Mon Jul 23 2007 - 08:45:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US