Re: Prevent Root access from database

PhilB <phillip.bridges_at_gmail.com> wrote:
> Weve got a new security drive underway in our organisation, one of the
> concerns that was raised was that access to the database on our unix
> server should be prevented from the root user. I'm preparing to put
> the argument that the root user is the system admin and as a result can
> do anything, e.g "su" to oracle user account and gain access via a
> "connect / as sysdba" (even if we remove sysdba, surely root can put it
> back !) Is this correct , anyone got any experience of preventing root
> users getting into the database to see the data ?.

So far you have received a handful of jocular or half-serious replies.

I think it all boils down to: There is no way to keep root off your data. You can consider it one of the inherent security flaws of UNIX, but I prefer to see it as the price you have to pay for a simple, easily understandable security system.

Root has access to everything on the system. So the only way to prevent root from - say - reading certain data on your disk is to encrypt them in a way so that decryption needs a component NOT stored on the system, e.g. a password that a user must enter.
The problem starts when things should work automatically, for example you want your application to start by itself after a system boot. In order to avoid user interaction, you need to have all necessary information to be on or at least accessible by the system. That again means that root can get it, since he/she has full access to the system.

Yours,
Laurenz Albe Received on Tue Jul 26 2005 - 03:05:23 CDT