Re: Start/Stop of DB by root

In article <50300002_at_tisdec.tis.tandy.com> chris_at_tisdec.tis.tandy.com writes:

[ original complaint deleted]

->Some Einstien at ORALCLE decided to take a security issue away from the
->SYSTEM's ADMINISTRATOR and locks out any account that also belongs to
->the DAEMON group. There may be other groups that _THEY_ have decided
->to be unsafe for a DBA administrator to belong to, but this one they
->admit to adding in 6.0.3x. But the failed to document it anywhere.
->
->It is not the softwares job to decide not to let someone have prileges
->based on other NON-associated groups, but it is acceptable to deny access
->if you are not in a particular group.
->
->There are two work arounds for this DEBACLE:
->
-> 1) Remove root from the daemon group.
-> 2) add authorized users to the dba group.
-> (in the rc.local scripts su to oracle)
->
->And most definitly HARASS, HARASS, HARASS ORACLE about this FUBAR mistake.
->
->I would recommend doing the SU trick in /etc/rc.local even if ORACLE
->had not taken it upon themselves to secure the system.

Woah there. I don't consider this "a trick" since this is what 6.0.30 "Installation and User's Guide" manual recommends (page 4-4 if you want to look.) I also recall reading somewhere else (though I could be wrong here) that Oracle doesn't recommend including root in the DBA group. I do understand the frustration concerning a user being in both the DBA and DAEMON groups, but for part-time DBAs like myself (I'm DBA because no one else wants to be), it seems that some of these suggestions are to keep us from shooting ourselves in the foot.

If you don't do something the way someone else tells you to do it, do you think you should really complain if you do it another way and it doesn't work the way they said it would if you had done it the way they told you to do it in the first place? :)

Frank Received on Thu Mar 18 1993 - 22:47:31 CET