RE: How to keep "root" out?

From: Goulet, Dick <DGoulet_at_vicr.com>
Date: Thu, 28 Aug 2003 10:14:26 -0800
Message-ID: <F001.005CDC5F.20030828101426@fatcity.com>

Now, I use to know a Unix admin who did exactly that thinking he was in a private subdirectory. He spent the following 36 hours rebuilding the server & restoring the database, after that he tried to explain what happen for another 3 hours to the powers that be, and the remainder of the day cleaning out his desk.

Moral: Do not login as "root" unless you absolutely have to.

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA

-----Original Message-----

Sent: Thursday, August 28, 2003 12:24 PM To: Multiple recipients of list ORACLE-L

"rm -r *" at root.

:>

-----Original Message-----

Peter.McLarty_at_mincom.com
Sent: 28 August 2003 17:10
To: Multiple recipients of list ORACLE-L

Sadly for you there is no way to stop them using it, you could check and see of root is part of the dba group and have a sysadmin remove it. and if you succeed then they need only to su - oracle and they can still do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the response is unsuitable you need to document the facts and present it to your manager for him to determine what is acceptable.

Tough one to call

Cheers

--

---

Peter McLarty               E-mail: Peter.Mclarty_at_mincom.com
Technical Consultant        WWW: http://www.mincom.com
APAC Technical Services     Phone: +61 (0)7 3303 3461
Brisbane,  Australia        Mobile: +61 (0)402 094 238
                            Facsimile: +61 (0)7 3303 3048
=================================================

"If people did not sometimes do silly things, nothing intelligent would ever
get done."

• Ludwig Wittgenstein

  ---

  Mincom "The People, The Experience, The Vision"

  ---

This transmission is for the intended addressee only and is confidential information. If you have received this transmission in error, please delete it and notify the sender. The contents of this e-mail are the opinion of the writer only and are not endorsed by the Mincom Group of companies unless expressly stated otherwise.

Walter K <ora1034_at_sbcglobal.net>
Sent by: ml-errors_at_fatcity.com
29/08/2003 01:34 AM
Please respond to ORACLE-L  

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        How to keep "root" out?

Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.  

We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?  

So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"?  

Thanks in advance.  

W

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author:
  INET: Peter.McLarty_at_mincom.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
---

Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

---

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Mark Leith
  INET: mark_at_cool-tools.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Goulet, Dick
  INET: DGoulet_at_vicr.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Aug 28 2003 - 13:14:26 CDT