Re: DBAs running root.sh

From: Matthew Zito <matt_at_crackpotideas.com>
Date: Mon, 3 Feb 2014 12:45:41 -0500
Message-ID: <CAJ7936wERZS5mGvZWa1AuXdJRqQ1FOPmD1vAzZx+=1kEtZJY=w_at_mail.gmail.com>



Unfortunately, no, sudo cannot do this, though there are commercial tools that can. The issue is that when sudo runs a shell script, it's opaque to the sudo command - sudo just spins up a subshell and execs the script, and from there it doesn't care.

The way I've seen organizations deal with this:

  • admit the fact that since the only thing that really matters on database servers is the database, they let DBAs have sudo access to root entirely
  • they have sysadmins run root.sh, which stinks for everyone, especially on RAC. They also choose not to think about the fact that any DBA could have changed the root.sh script to do something malicious, as they never check
  • they have DBAs have sudo access to root.sh, and pretend not to notice that means that gives DBAs the keys to the kingdom
  • They use a product that automates the installation of database environments that runs the root.sh for them in a controlled environment and prevents users from maliciously doing things as root (disclosure: I made one of those products, so I have a certain bias)

There's no ideal solution - you pay a penalty in security, governance, time/complexity, and/or cost.

Matt

On Mon, Feb 3, 2014 at 12:37 PM, Chris Taylor < christopherdtaylor1994_at_gmail.com> wrote:

> Yes I believe so, however, I've never been responsible for the tightening
> down of sudo - just a victim of it ;)
>
> Chris
>
>
> On Mon, Feb 3, 2014 at 11:28 AM, Austin Hackett <hacketta_57_at_me.com>wrote:
>
>> Hi Chris
>>
>> Thanks for your response.
>>
>> So, I think you are saying it's possible to configure sudo like this:
>>
>> If I can only run myscript.sh as root and myscript.sh does "/bin/rm -fr
>> /" , the script will fail because i don't have "/bin/rm" as root.
>>
>> Have I got that right?
>>
>>

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Feb 03 2014 - 18:45:41 CET

Original text of this message