Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Project lockdown - opinion solicitation

Re: Project lockdown - opinion solicitation

From: HansF <fuzzy.greybeard_at_gmail.com>
Date: Sun, 26 Aug 2007 17:27:17 -0700
Message-ID: <1188174437.537437.208170@m37g2000prh.googlegroups.com>


On Aug 24, 11:31 am, EdStevens <quetico_..._at_yahoo.com> wrote:
> On advice last week, I have downloaded the "Project Lockdown" document
> and begun reviewing it. I get a very uneasy feeling about his
> suggestion to remove the SUID bit from the Oracle executables.

I don't quite understand why people are scared of setUID without defining the context. SUID to ROOT - yes, that is dangerous, but SUID to Oracle?

The SUID--oracle capability says "people do not need to log on to Oracle userid to be able to administer the Oracle environment. We can log and audit that external usage very well both at the OS and the Oracle level and this way we also have non-repudiation by ensuring that all administrators use their own account."

It seems to me that the people making the recommendations might be using the "I heard about this and therefore it must be bad" decision making process rather than understanding the technology involved. As with all Rules of Thumb - if the assumptions are not known, then it is easy for the rule to slide to rot.

(I'd almost be willing to bet it's an auditor recommendation around SOX.) /Hans

--
Hans Forbrich   (mailto: Fuzzy.GreyBeard_at_gmail.com)
*** Feel free to correct me when I'm wrong!
*** Top posting [replies] guarantees I won't respond.
Received on Sun Aug 26 2007 - 19:27:17 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US