Return-Path: Received: from ensim.rackshack.net (root@localhost) by orafaq.net (8.11.6/8.11.6) with ESMTP id h7SI1jK11349 for ; Thu, 28 Aug 2003 13:01:46 -0500 X-ClientAddr: 66.27.56.212 Received: from www3.fatcity.com (rrcs-west-66-27-56-212.biz.rr.com [66.27.56.212]) by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h7SI1i311344 for ; Thu, 28 Aug 2003 13:01:45 -0500 Received: (from root@localhost) by www3.fatcity.com (8.11.6/8.11.6) id h7SFUW711386 for oracle-l@orafaq.net; Thu, 28 Aug 2003 08:30:32 -0700 Received: by fatcity.com (05-Jun-2003/v1.0g-b73/bab) via fatcity.com id 005CDC19; Thu, 28 Aug 2003 08:29:26 -0800 Message-ID: Date: Thu, 28 Aug 2003 08:29:26 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: DENNIS WILLIAMS Sender: ml-errors@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: DENNIS WILLIAMS Subject: RE: How to keep "root" out? Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 73; ListGuru (c) 1996-2003 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Walter You may be able to approach this from a security aspect. You could discuss with your management whether it is a good idea for the system administrators to be in a database. Depending on the security or SLA requirements of the database, you may have some leverage there. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. dwilliams@lifetouch.com -----Original Message----- Sent: Thursday, August 28, 2003 11:10 AM To: Multiple recipients of list ORACLE-L Well, first of all, root should not be in your dba group... -----Original Message----- Sent: Thursday, August 28, 2003 8:34 AM To: Multiple recipients of list ORACLE-L Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here. We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database? So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"? Thanks in advance. W -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: DWILLIAMS@LIFETOUCH.COM Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).