RE: How to keep "root" out?

[Goulet, Dick]

Having been there, I'll agree with Jonathan Gennick on this issue.  First off try to talk to the folks & let them know that their meddling where they should not be.  That worked with one sys admin I have.  Failing that, which I have, follow Jonathan's advice & give them a "safe" login that they can then use.  In my case the sys admin found that he really did not know what he was doing & stopped snooping.  In another sys admin's case he did make changes, only to have the DB cease functioning at which time management was more then willing to "take care of it".  I love having someone else be the "bad guy".   Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -----Original Message----- From: Arup Nanda [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 12:50 PM To: Multiple recipients of list ORACLE-L Subject: Re: How to keep "root" out? Walter,   Unfortunately, there is no way. You can prevent root from connecting as sysdba by removing the dba group from root userid; but hey, root can "root" it again; he is root, remember, omnipotent.   Even if that is successful, he can connect to any dba account, such as "oracle" using "su -" and then connect as sysdba. Worse, they can connect to _any_ dba user, not necessarily "oracle", and your audit logs will show as if coming from that user.   Therefore the issue is serious than it sounds like and you should approach at from the manegerial level. Take dba group out if the root userid and establish ground rules that dba group is never allowed to any user without the DBA's request. If they continue to do "su - oracle", make them aware that this operation is imporsonation, and may be deemed illegal. They will listen to that word!   HTH.   Arup     ----- Original Message ----- From: Walter K To: Multiple recipients of list ORACLE-L Sent: Thursday, August 28, 2003 11:34 AM Subject: How to keep "root" out? Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.   We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?   So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"?   Thanks in advance.   W