Re: "oracle" lockdown

From: Andrew Kerber <andrew.kerber_at_gmail.com>
Date: Wed, 26 Feb 2014 14:51:04 -0600
Message-ID: <CAJvnOJayFctUrNCaQxWgZmuBPF46pYuQKOosrmSb397cD8_UHw_at_mail.gmail.com>

I believe what he is saying by 'no shell' is that no one can actually log in as Oracle. That all commands must be run using the sudo command. Im not sure you can successfully manage an oracle database that way. At the very least it strikes me as painful.

On Wed, Feb 26, 2014 at 2:43 PM, Powell, Mark <mark.powell2_at_hp.com> wrote:

> I do not think items and #1 and #3 are an issue since I have worked on
> systems like that, but I am not sure about item #2, "no shell." What
> exactly does that mean?
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
> On Behalf Of Herring, David
> Sent: Wednesday, February 26, 2014 3:20 PM
> To: oracle-l_at_freelists.org
> Subject: "oracle" lockdown
>
> Folks,
>
> Our team is about to be placed in a more challenging situation where the
> OS account "oracle" will be locked down in the following ways:
>
> 1) No direct logons.
> 2) No shell can be created by "oracle".
> 3) Execution as "oracle" can be done by DBA accounts using: "sudo -u
> oracle <cmd>".
>
> I'm tasked with coming up with a test plan for each environment converted
> over to this configuration. While I can come up with the various commands
> we typically use off a consolidation of ~/.bash_history on all servers, I'm
> concerned about the environment when running "sudo - u oracle". I'm told
> that there's no guarantee on what env variables will be set so if I expect
> any particular values I'll have to put it all in a script, since we can't
> run multiple commands on one line (like "sudo -u oracle export
> ORACLE_SID=dave; export ORAENV_ASK=NO; .oraenv; ...").
>
> My first thought is we'll need some sort of wrapper script, with arguments
> for the ORACLE_SID and command line to run. Has anyone run into this type
> of situation and if so how did you handle it? There's still no word on how
> we're going to manage interactive installs. I feel like I'm on the Indians
> in the movie "Major League".
>
> Dave Herring
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Feb 26 2014 - 21:51:04 CET

This message: [ Message body ]
Next message: Powell, Mark: "FW: "oracle" lockdown"
Previous message: Powell, Mark: "RE: "oracle" lockdown"
In reply to: Powell, Mark: "RE: "oracle" lockdown"
Next in thread: Andy Wattenhofer: "Re: "oracle" lockdown"
Maybe reply: Andy Wattenhofer: "Re: "oracle" lockdown"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message