Re: DBAs running root.sh
Date: Tue, 11 Feb 2014 18:07:56 +0000
Message-ID: <CANx=q_Z8NwveJtCg85rPV6nOVsZdOagcZ6y84ifeYPBDyzmNiA_at_mail.gmail.com>
This is really an interesting topic, still one thing comes to my mind. We, as DBA, use our sysdba "power" (or other privileged accounts) to handle, the most valuable asset in an organization: Data. That is what really matter. Why do we need "advanced restrictive policies" to execute a script that finishes an Oracle installation when we have a privileged account in the database? Just imagine the damage you can do without any access to a unix shell..
Role separation is ok to me, but sometimes people focus much on it andbureaucracy wins.
Luís
http://lcmarques.com
On Wed, Feb 5, 2014 at 10:08 AM, Stojan Veselinovski < stojan.veselinovski_at_gmail.com> wrote:
> Its an interesting topic and I've had countless hours of discussion with
> sysadmins about DB servers being managed and run by DBA's.
>
> If we wanted to do serious damage we could., regardless of any root
> account.
>
> Any compromise like having sudo to commands is only a step away from
> kicking out to a root shell and away you go.
>
> With the GI stack needing elevated privileges and for most shops its
> managed and run by DBA's it really does become a bit of a road block.
>
> Patching GI, troubleshooting processes, strace, truss, etc, etc.
>
> Not sure if there is a perfect answer but in my current place we have sudo
> to commands and root in "some" places and a good relationship with the
> sysadmins
>
> Stojan
> http://www.stojanveselinovski.com/blog
>
-- Cumprimentos, Luís Marques -- http://www.freelists.org/webpage/oracle-lReceived on Tue Feb 11 2014 - 19:07:56 CET