Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: How to keep "root" out?

RE: How to keep "root" out?

From: Goulet, Dick <>
Date: Thu, 28 Aug 2003 10:24:26 -0800
Message-ID: <>

Having been there, I'll agree with Jonathan Gennick on this issue. First off try to talk to the folks & let them know that their meddling where they should not be. That worked with one sys admin I have. Failing that, which I have, follow Jonathan's advice & give them a "safe" login that they can then use. In my case the sys admin found that he really did not know what he was doing & stopped snooping. In another sys admin's case he did make changes, only to have the DB cease functioning at which time management was more then willing to "take care of it". I love having someone else be the "bad guy".  

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA

-----Original Message-----
Sent: Thursday, August 28, 2003 12:50 PM To: Multiple recipients of list ORACLE-L


Unfortunately, there is no way. You can prevent root from connecting as sysdba by removing the dba group from root userid; but hey, root can "root" it again; he is root, remember, omnipotent.  

Even if that is successful, he can connect to any dba account, such as "oracle" using "su -" and then connect as sysdba. Worse, they can connect to _any_ dba user, not necessarily "oracle", and your audit logs will show as if coming from that user.  

Therefore the issue is serious than it sounds like and you should approach at from the manegerial level. Take dba group out if the root userid and establish ground rules that dba group is never allowed to any user without the DBA's request. If they continue to do "su - oracle", make them aware that this operation is imporsonation, and may be deemed illegal. They will listen to that word!  

HTH.   Arup    

Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using on Solaris 8 here.  

We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?  

So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"?  

Thanks in advance.  



Please see the official ORACLE-L FAQ:

Author: Goulet, Dick

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message to: (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Aug 28 2003 - 13:24:26 CDT

Original text of this message