Re: DBAs running root.sh

From: William Muriithi <william.muriithi_at_gmail.com>
Date: Sat, 15 Feb 2014 21:20:38 -0500
Message-ID: <CAE9rU+6ojpUd7j_UkMEBbvW7PfR74et2oftkf1kSQsTcWXCifg_at_mail.gmail.com>

>
> Hi List
>
> If you work in a security conscious environment, I'd be keen to hear how
your site handles the root.sh script.
>

I haven't had to deal with this particular script but have passion of Linux security.
> To give you some background:
>
> In my environment, DBAs are currently given direct root access to allow
them to run root.sh. However, the SA Team would like to tighten this up. If giving the DBAs direct root access isn't acceptable (not even temporarily) then two options spring to my mind:
>
> 1) SA team run root.sh on behalf of the DBAs. Geography and logistics in
my organisation are such that having an SA walk over to the DBAs desk is a realistic option. Our SAs aren't keen on this approach
> 2) Give DBAs the ability to run root.sh as the root user via sudo. This,
of course, means that DBAs can run anything they like by editing root.sh, so doesn't really help. Understandably our SAs don't like this approach
>
> I am being asked to look into keeping Oracle software version specific
root.sh scripts in a root-owned location (we are Linux only, so no multi-platform concerns). This would allow for secure sudo privileges. We'd need these for RDBMS, Grid Infrastructure, and Client.
>
> However, I've explained the scripts are dynamically generated by
runInstaller and have the Oracle Home path hard-coded into them. We'd need a root-owned root.sh for every distinct ORACLE_HOME path we create (some hosts have multiple homes, so there's dbhome_1, dbhome_2 etc.). Maybe there are other considerations that I'm unaware of - I don't really like to second guess what else is going on in the "closed box" of the OUI that could be host dependent.
>
> To my mind, taking this non-standard approach is more risky than having
someone run the script on our behalf, even if it risks introducing delays into the build process.
>
> How is this handled in your organisation? Have you ever been asked to
have a centralised set of root.sh scripts under root control for this reason? Have you made it work?
>
> If anyone has some time to share their experiences, it would be much
appreciated.
>

I haven't had to deal with this scripts specifically but I am certain its a perfect candidate for SELinux. Are you on Redhat or Oracle Linux, if so, invest some effort on playing with SELinux and you will find it will be a perfect solution irrespective of how dynamic your home directory are.
> Regards
>
> Austin
>

William

--
http://www.freelists.org/webpage/oracle-l

Received on Sun Feb 16 2014 - 03:20:38 CET

This message: [ Message body ]
Next message: Peter Sharman: "RE: em12c agent on 2008R2 fails at remote check"
Previous message: Martin Bach: "RE: datapump export incredibly slow"
In reply to: Austin Hackett: "DBAs running root.sh"
Next in thread: Austin Hackett: "Re: DBAs running root.sh"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message