OK, everybody is talking about serious software projects designed to keep the "root" user outside of the database. The root user in unix corresponds to the Christian notion of God, particularly when it comes to throwing lightning bolts around. Fortunately for us, there is no analogy with Leda and Swan story in Unix SA world. Essentially, the task is defined as "keep the deity out of the database" and that is not easy. Instead of trying to do things in software, which was designed not to resist the "root" user, why don't we concentrate on specialized hardware and procedures which exist for that purpose? Guns, threats of violence and blackmail are excellent means of keeping the system administrator out of the database. After all they're only human and chances are that a question like "Do ya feel lucky? Well, do ya...root?" will be answered with a resounding "no". Our goal is thus achieved by saving the company time and money. Yet another productive day goes by. Go ahead, make my data.
-- Mladen Gogala Oracle DBA -----Original Message----- Brian Dunbar Sent: Tuesday, September 02, 2003 11:54 AM To: Multiple recipients of list ORACLE-L Replying to the original post; Walter K <mailto:[EMAIL PROTECTED]> on Thursday, August 28, 2003 6:34 PM said; > Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the > database (i.e. connect internal or / as sysdba)? Currently using > 8.1.7.4 on Solaris 8 here. > We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring > scripts. Of course, they don't know what they're talking about. My perspective is as the system admin who owns the boxes where the databases live, and as caretaker of some of the applications aboard those servers. You can jump through hoops to keep root out of the database, but you run the great risk of locking yourself out of the database if as a last resort access is somehow removed for all users. That is what root is for, after all. If you can't trust your admins, you've got bigger problems than this. My suggestion (echoed by others here) is to work with your admins, and tell them why what they are doing is a bad idea. If you can give them their own 'backdoor' to the database or a safe way to view the data, you'll both be better off. ~brian -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Brian Dunbar INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
