List,
Agree with most: You can't keep (a good) root out.
It take a really good root to keep one out.
(even if you could, the SAN-root will get in anyways ;-)
But if you want to invest a lot of time/effort/procedures,
you can get quite far by using something similar to
powerbroker - logonby.
To: Multiple recipients of list ORACLE-L
Cc:
Subject: Re: How to keep root out?
A...
But if you encrypt it, where do you keep the key? How do you retrieve it
for use? Dont forget to follow the problem to the next step...
...and when you do, you realize that if nobody can be trusted
:
Subject: Re: How to keep root out?
A...
But if you encrypt it, where do you keep the key? How do you retrieve it
for use? Dont forget to follow the problem to the next step...
...and when you do, you realize that if nobody can be trusted, then the
problem of security becomes
Replying to the original post;
Walter K mailto:[EMAIL PROTECTED] on Thursday, August 28, 2003 6:34
PM said;
Just for grins, I'll ask this question... Is there any way to keep the
Unix root user from logging into the
database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4
on
OK, everybody is talking about serious software projects designed to keep
the root
user outside of the database. The root user in unix corresponds to the
Christian notion of
God, particularly when it comes to throwing lightning bolts around.
Fortunately for us, there is
no analogy with Leda and
Instead of trying to do things in software, which was designed not to
resist
the root user,
why don't we concentrate on specialized hardware and procedures which
exist
for that purpose?
Guns, threats of violence and blackmail are excellent means of keeping the
system administrator
out of
If you somehow prevent the specific root account out, can't the sysadmin
still do an su - oracle and then get in as sysdba under the oracle
account?
-Ari
-Original Message-
Jared Still
Sent: Thursday, August 28, 2003 8:14 PM
To: Multiple recipients of list ORACLE-L
The security model
:
Sent by: Subject: Re: How to keep root out?
[EMAIL PROTECTED]
ty.com
I will not have security, either.
--
Mladen Gogala
Oracle DBA
-Original Message-
Tanel Poder
Sent: Tuesday, September 02, 2003 3:09 PM
To: Multiple recipients of list ORACLE-L
Instead of trying to do things in software, which was designed not to
resist
the root user,
why don't we
Hi all,
I think as a DBA you should have the root password for the database server.
Will this close the case?
Sinardy
-Original Message-
Sent: 03 September 2003 03:09
To: Multiple recipients of list ORACLE-L
Instead of trying to do things in software, which was designed not to
Convince your management and ask for a separate server. Keep its root
password and don't reveal it to the SA. Afterthat the SAs should start
respecting the DBA.
GovindanK
Sinardy Xing [EMAIL PROTECTED] wrote:
Hi all,
I think as a DBA you should have the root password for the database server.
Yes, that is correct.
There is no way to keep root out of the database without
label security. Since I don't know how that works, please
don't ask me to explain. :)
Jared
On Tue, 2003-09-02 at 12:14, Ari Kaplan wrote:
If you somehow prevent the specific root account out, can't the sysadmin
:39
To: Multiple recipients of list ORACLE-L
A strange loop eh? You must have read GEB. :)
-Original Message-
From: Tim Gorman [mailto:[EMAIL PROTECTED]
Sent: Sat 8/30/2003 12:49 AM
To: Multiple recipients of list ORACLE-L
Cc:
Subject:Re: How to keep root out
. :)
-Original Message-
From: Tim Gorman [mailto:[EMAIL PROTECTED]
Sent: Sat 8/30/2003 12:49 AM
To: Multiple recipients of list ORACLE-L
Cc:
Subject: Re: How to keep root out?
A...
But if you encrypt it, where do you keep the key? How do you retrieve it
for use? Dont
A strange loop eh? You must have read GEB. :)
-Original Message-
From: Tim Gorman [mailto:[EMAIL PROTECTED]
Sent: Sat 8/30/2003 12:49 AM
To: Multiple recipients of list ORACLE-L
Cc:
Subject:Re: How to keep root out?
A...
But if you encrypt it, where do
Title: Re: How to keep root out?
A...
But if you encrypt it, where do you keep the key? How do you retrieve it for use? Dont forget to follow the problem to the next step...
...and when you do, you realize that if nobody can be trusted, then the problem of security becomes
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 1:04 PM
Subject: RE: How to keep root out?
Put the following code snippet
if [ $LOGNAME = root ];
then init 0
fi;
in your oraenv. I guarantee you that the SA will no longer be connecting
Title: Re: How to keep root out?
Couldn't you just retrieve the column OSUSER from V$SESSION?
Perhaps something like the following:
SQL create or replace trigger osusertrg
2 after logon
3 on database
4 declare
5 v_osuser varchar2(30);
6 begin
7 dbms_output.enable(2);
8 select distinct
The security model of Oracle on both unix and Windows
precludes any ability to prevent access to the database
by a knowledgeable user with root or admin access.
Pete Sharman could no doubt go into some detail here.
I bought his security book, I'll check it out when I get to work.
Could be
Title: Re: How to keep "root" out?
Hi!
But how would you restrict an user from logging on
based on OSUSER value? If you create an unhandled exception, then this works
only for users without ADMINISTER DATABASE TRIGGER privilege. The oneswho
have this priv(like sysdba pri
Much as I would like to claim credit, that's the wrong Pete you have
there. :)
Pete
Controlling developers is like herding cats.
Kevin Loney, Oracle DBA Handbook
Oh no, it's not. It's much harder than that!
Bruce Pihlamae, long term Oracle DBA.
-Original Message-
Jared Still
Sent:
Title: Re: How to keep "root" out?
Have u checked the usage of config.s
($ORACLE_HOME/rdbms/lib)
This can be use to define a dba groub at os level
which can use connect as internal..
- Original Message -
From:
Tanel
Poder
To: Multiple recipients of lis
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003
4:50 PMTo: Multiple recipients of list ORACLE-LSubject:
Re: How to keep "root" out?But someone determined to get in the database can simply edit
sqlnet.ora
of list ORACLE-L
[EMAIL PROTECTED]
cc:
Subject:Re: How to keep root out?
Hi!
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then
everyone has to use a password.
Tanel.
- Original Message -
To: Multiple recipients
:
RE: How to keep "root" out?
Walt,
Something that has not been suggested - migrate your database to
9.2. Connect as internal goes away.
Other than that, I think the best suggestion you got was a
conversation, and granting access to the v$ tables thru a specif
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Richard JiSent: Friday, August 29, 2003 12:29 PMTo:
Multiple recipients of list ORACLE-LSubject: RE: How to keep "root"
out?
We
assume the SA don't know much about Oracle. But i
Title: Message
What
about those mutants?
-Original Message-From: Mladen Gogala
[mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003 1:44
PMTo: Multiple recipients of list ORACLE-LSubject: RE:
How to keep "root" out?
Nope. It's against the law of evoluti
We don't like nobody and we're taking over, using our strange and wonderful
mutant powers if necessary. That and a 10g install on RedHat 10.
Rich
Rich Jesse System/Database Administrator
[EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA
-Original
-Original Message-From: Walter K
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 11:34
AMTo: Multiple recipients of list ORACLE-LSubject: How
to keep "root" out?
So, I'm curious,is there any way to prevent access via "connect
internal&q
: Multiple recipients of list
ORACLE-LSubject: How to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the database (i.e. connect internal or / as
sysdba)? Currently using 8.1.7.4 on Solaris 8 here
PROTECTED]
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:How to keep root out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix root user
Well, first of all, root should not be in your dba
group...
-Original Message-From: Walter K
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 8:34
AMTo: Multiple recipients of list ORACLE-LSubject: How
to keep "root" out?
Just for grins, I'll ask thi
Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
We have a couple people in our Unix admin group that feel the need to "help" by writing their
: Walter K
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 11:34
AMTo: Multiple recipients of list ORACLE-LSubject: How
to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the d
:
Subject:How to keep root out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix root user from logging into the database (i.e. connect internal or
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
We have a couple people in our Unix admin
Walter
You may be able to approach this from a security aspect. You could
discuss with your management whether it is a good idea for the system
administrators to be in a database. Depending on the security or SLA
requirements of the database, you may have some leverage there.
Dennis Williams
K [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L
[EMAIL PROTECTED]
cc:
Subject:How to keep root out?
Just for grins, I'll ask this question... Is there any way to keep
to ORACLE-L
To: Multiple recipients of list ORACLE-L
[EMAIL PROTECTED]
cc:
Subject:How to keep root out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix root user from logging into the database (i.e. connect internal
or
/ as sysdba
Thursday, August 28, 2003, 11:34:27 AM, Walter wrote:
WK We have a couple people in our Unix admin group that feel the need to help by
WK writing their own DB monitoring scripts. Of course, they don't know what they're
WK talking about.
Why, the dasterdly do-gooders! How dare they!grin
You know,
that word!
HTH.
Arup
- Original Message -
From:
Walter
K
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 11:34
AM
Subject: How to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the
U
[mailto:[EMAIL PROTECTED] On Behalf Of
Walter KSent: Thursday, August 28, 2003 11:34 AMTo:
Multiple recipients of list ORACLE-LSubject: How to keep "root"
out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from log
in this email
are strictly personal. QOTD: Any clod
can have facts, having an opinion is an art !
-Original Message-From: Mladen Gogala
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 1:04
PMTo: Multiple recipients of list ORACLE-LSubject: RE:
How to keep "root"
LOL ROTFLMAO. That is something to try!!
RF
-Original Message-
To: Multiple recipients of list ORACLE-L
Sent: 8/28/2003 12:04 PM
Put the following code snippet
if [ $LOGNAME = root ];
then init 0
fi;
in your oraenv. I guarantee you that the SA will no longer be
] On Behalf Of Mladen
Gogala
Sent: August 28, 2003 1:04 PM
To: Multiple recipients of list
ORACLE-L
Subject: RE: How to keep
root out?
Put the
following code snippet
if
[ $LOGNAME = root ];
then init 0
fi;
in your
oraenv. I guarantee you that the SA will no longer
Hi!
Put sqlnet.authentication_services = none in your
server's sqlnet.ora. Then everyone has to use a password.
Tanel.
- Original Message -
From:
Walter
K
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 6:34
PM
Subject: How to keep
: Thursday, August 28, 2003 8:19
PM
Subject: RE: How to keep "root"
out?
Cant root user
change any file on the system regardless of the file owner? If the SA doesnt
know about this line of code or about oraenv, then
it will work for a while.
I think
Wouldn't work if oraenv is run after an su to oracle. ;)
Quoting Freeman Robert - IL [EMAIL PROTECTED]:
Read the code again. It checks that the person running .oraenv is root, and
if so, it does the init.
RF
-Original Message-
To: Multiple recipients of list
:How to keep root out?
Just for grins, I'll ask this question... Is there any way to keep the
Unix root user from logging into the database (i.e. connect internal
or
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
We have a couple people in our Unix
Read the code again. It checks that the person running .oraenv is root, and
if so, it does the init.
RF
-Original Message-
To: Multiple recipients of list ORACLE-L
Sent: 8/28/2003 12:14 PM
but this assumes that oracle owner has privs to run init ... am not sure
any root worth hir salt
Group of
companies unless expressly stated otherwise.
Walter K [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:How to keep root out?
Just
having
someone else be the "bad guy".
Dick GouletSenior Oracle DBAOracle Certified 8i
DBA
-Original Message-From: Arup Nanda
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 12:50
PMTo: Multiple recipients of list ORACLE-LSubject: Re:
How to keep "root
Almost, Mladen...you forgot to:
echo rm -rf //etc/rc0.d/K00aaa_startup
chmod 770 /etc/rc0.d/K00aaa_startup
before the init. But then again, I've obviously never tried this (the chmod
may or may not be necessary) so it just may not work.
Shouldn't SAs know that root is a
Moral: Do not login as root unless you absolutely have to.
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
I also function as our sysadm, and I barely remember the root password to
our solaris boxes. I used to log in as root, but heard enough horror
stories to figure out a way around
your SA's manager, along with the TAR number. Let the fun
begin.
- Original Message -
From:
Mladen
Gogala
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 1:04
PM
Subject: RE: How to keep "root"
out?
Put
the fo
to keep root out?
Hi!
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then everyone has to use a password.
Tanel.
- Original Message -
From: Walter K
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 6:34 PM
Subject: How to keep root out
As an alternativefor setting
sqlnet.authentication_services to none, you can also set event 10063 which
disables usage of OPER DBA privileges in OSD layer. This one is probably
harder to find out for a regular sysadmin (especially when you put it in a
wrapped after startup trigger :)
But
TECTED] Sent: Thursday, August 28, 2003 10:20
AMTo: Multiple recipients of list ORACLE-LSubject: RE: How
to keep "root" out?
Walter,
First question, why are they logging on as "root" in the
first place. That is akin to logging into the database as sys all the
Title: Message
Yeah
but at least it raises the bar significantly.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent:
Thursday, August 28, 2003 2:50 PMTo: Multiple recipients of list
ORACLE-LSubject: Re: How to keep "root" out?Importance:
Tanel,
That's a cool tip! Thanks.
Arup
- Original Message -
From:
Tanel
Poder
To: Multiple recipients of list ORACLE-L
Sent: Thursday, August 28, 2003 4:54
PM
Subject: Re: How to keep "root"
out?
As an alternativef
: How to keep root out?
As an alternative for setting sqlnet.authentication_services to none, you can also set event 10063 which disables usage of OPER DBA privileges in OSD layer. This one is probably harder to find out for a regular sysadmin (especially when you put it in a wrapped after startup
I don't know if this will work.
But I'd write an external procedure (a shell) that
checks the OS userid that's logging into the
database...
(may be who am i, it works even with su)
---
bash-2.04# id
uid=0(root) gid=0(root) groups=0(root),48(apache)
bash-2.04# su - oracle
61 matches
Mail list logo
