subject:"RE\: How to keep \"root\" out\?"

RE: How to keep "root" out?

2003-09-03 Thread Piet de Visser

List,

Agree with most: You can't keep (a good) root out.
It take a really good root to keep one out.
(even if you could, the SAN-root will get in anyways ;-)

But if you want to invest a lot of time/effort/procedures,
you can get quite far by using something similar to 
powerbroker - logonby.

Not sure if the product still exists, but it was
reasonably effective 
at the price of a lot of administrative overhead.

If I gave more details, I'd have to shoot you all, eh Dave ?


Regards,
PdV
Oracle DBA, and Certified ;-)
Disclaimers: AFAIK, GF, JMTC, and YMMV.
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Piet de Visser
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Jared Still


Yes, that is correct.

There is no way to keep root out of the database without
label security.  Since I don't know how that works, please
don't ask me to explain.  :)

Jared

On Tue, 2003-09-02 at 12:14, Ari Kaplan wrote:
> If you somehow prevent the specific "root" account out, can't the sysadmin
> still do an "su - oracle" and then get in as sysdba under the "oracle"
> account?
> 
> -Ari
> 
> -Original Message-
> Jared Still
> Sent: Thursday, August 28, 2003 8:14 PM
> To: Multiple recipients of list ORACLE-L
> 
> 
> The security model of Oracle on both unix and Windows
> precludes any ability to prevent access to the database
> by a knowledgeable user with root or admin access.
> 
> Pete Sharman could no doubt go into some detail here.
> 
> I bought his security book, I'll check it out when I get to work.
> 
> Could be there's something I've overlooked.  :)
> 
> Jared
> 
> On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> > Walter
> >You may be able to approach this from a security aspect. You could
> > discuss with your management whether it is a good idea for the system
> > administrators to be in a database. Depending on the security or SLA
> > requirements of the database, you may have some leverage there.
> >
> >
> >
> > Dennis Williams
> > DBA, 80%OCP, 100% DBA
> > Lifetouch, Inc.
> > [EMAIL PROTECTED]
> >
> > -Original Message-
> > Sent: Thursday, August 28, 2003 11:10 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Well, first of all, root should not be in your dba group...
> >
> > -Original Message-
> > Sent: Thursday, August 28, 2003 8:34 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Just for grins, I'll ask this question... Is there any way to keep the
> Unix
> > "root" user from logging into the database (i.e. connect internal or / as
> > sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
> >
> > We have a couple people in our Unix admin group that feel the need to
> "help"
> > by writing their own DB monitoring scripts. Of course, they don't know
> what
> > they're talking about. They do not have formal logins for the database,
> but
> > since they are root users they are connecting via "connect internal". This
> > is not only counterproductive but actually a potential security
> issue--just
> > because someone has root doesn't necessarily entitle them to see the data
> in
> > the database. What if it is a payroll database?
> >
> > So, I'm curious, is there any way to prevent access via "connect internal"
> > or "/ as sysdba"?
> >
> > Thanks in advance.
> >
> > W
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: DENNIS WILLIAMS
> >   INET: [EMAIL PROTECTED]
> >
> > Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> > San Diego, California-- Mailing list and web hosting services
> > -
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from).  You may
> > also send the HELP command for other information (like subscribing).
> 
> 
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Jared Still
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
> 
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> -- 
> Author: Ari Kaplan
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE your

RE: How to keep "root" out?

2003-09-02 Thread layzeedba

Convince your management and ask for a separate server. Keep its root
password and don't reveal it to the SA. Afterthat the SAs should start
respecting the DBA.

GovindanK

"Sinardy Xing" <[EMAIL PROTECTED]> wrote:

>Hi all,
>
>I think as a DBA you should have the root password for the database server.
>
>Will this close the case?
>
>
>Sinardy
>
>-Original Message-
>Sent: 03 September 2003 03:09
>To: Multiple recipients of list ORACLE-L
>
>
>> Instead of trying to do things in software, which was designed not to
>resist
>> the "root" user,
>> why don't we concentrate on specialized hardware and procedures which
>exist
>> for that purpose?
>> Guns, threats of violence and blackmail are excellent means of keeping the
>> system administrator
>> out of the database. After all  they're only human and chances are that a
>
>One more solution would be to migrate to Windows. Then you won't have any
>root user.
>
>Tanel.
>
>
>-- 
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>-- 
>Author: Tanel Poder
>  INET: [EMAIL PROTECTED]
>
>Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
>San Diego, California        -- Mailing list and web hosting services
>-
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from).  You may
>also send the HELP command for other information (like subscribing).
>-- 
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>-- 
>Author: Sinardy Xing
>  INET: [EMAIL PROTECTED]
>
>Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
>San Diego, California        -- Mailing list and web hosting services
>-
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from).  You may
>also send the HELP command for other information (like subscribing).
>

__
McAfee VirusScan Online from the Netscape Network.
Comprehensive protection for your entire computer. Get your free trial today!
http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397

Get AOL Instant Messenger 5.1 free of charge.  Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Sinardy Xing

Hi all,

I think as a DBA you should have the root password for the database server.

Will this close the case?


Sinardy

-Original Message-
Sent: 03 September 2003 03:09
To: Multiple recipients of list ORACLE-L


> Instead of trying to do things in software, which was designed not to
resist
> the "root" user,
> why don't we concentrate on specialized hardware and procedures which
exist
> for that purpose?
> Guns, threats of violence and blackmail are excellent means of keeping the
> system administrator
> out of the database. After all  they're only human and chances are that a

One more solution would be to migrate to Windows. Then you won't have any
root user.

Tanel.


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Tanel Poder
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Sinardy Xing
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Mladen Gogala

I will not have security, either.

--
Mladen Gogala
Oracle DBA 



-Original Message-
Tanel Poder
Sent: Tuesday, September 02, 2003 3:09 PM
To: Multiple recipients of list ORACLE-L


> Instead of trying to do things in software, which was designed not to
resist
> the "root" user,
> why don't we concentrate on specialized hardware and procedures which
exist
> for that purpose?
> Guns, threats of violence and blackmail are excellent means of keeping 
> the system administrator out of the database. After all  they're only 
> human and chances are that a

One more solution would be to migrate to Windows. Then you won't have any
root user.

Tanel.


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Tanel Poder
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).




Note:
This message is for the named person's use only.  It may contain confidential, 
proprietary or legally privileged information.  No confidentiality or privilege is 
waived or lost by any mistransmission.  If you receive this message in error, please 
immediately delete it and all copies of it from your system, destroy any hard copies 
of it and notify the sender.  You must not, directly or indirectly, use, disclose, 
distribute, print, or copy any part of this message if you are not the intended 
recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to 
monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where 
the message states otherwise and the sender is authorized to state them to be the 
views of any such entity.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mladen Gogala
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-09-02 Thread Murali_Pavuloori/Claritas


Yes then you are at the mercy of hackers..;-)

Murali.




   
   
"Tanel Poder"  
   
 
[EMAIL PROTECTED]>cc:  
   
Sent by:  Subject:     Re: How to keep "root" out? 
   
[EMAIL PROTECTED]  
 
ty.com 
   
   
   
   
   
09/02/2003 
   
03:09 PM   
   
Please respond 
   
to ORACLE-L
   
   
   
   
   




> Instead of trying to do things in software, which was designed not to
resist
> the "root" user,
> why don't we concentrate on specialized hardware and procedures which
exist
> for that purpose?
> Guns, threats of violence and blackmail are excellent means of keeping
the
> system administrator
> out of the database. After all  they're only human and chances are that a

One more solution would be to migrate to Windows. Then you won't have any
root user.

Tanel.


--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Tanel Poder
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: Murali_Pavuloori/[EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Ari Kaplan

If you somehow prevent the specific "root" account out, can't the sysadmin
still do an "su - oracle" and then get in as sysdba under the "oracle"
account?

-Ari

-Original Message-
Jared Still
Sent: Thursday, August 28, 2003 8:14 PM
To: Multiple recipients of list ORACLE-L

The security model of Oracle on both unix and Windows
precludes any ability to prevent access to the database
by a knowledgeable user with root or admin access.

Pete Sharman could no doubt go into some detail here.

I bought his security book, I'll check it out when I get to work.

Could be there's something I've overlooked.  :)

Jared

On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> Walter
>You may be able to approach this from a security aspect. You could
> discuss with your management whether it is a good idea for the system
> administrators to be in a database. Depending on the security or SLA
> requirements of the database, you may have some leverage there.
>
>
>
> Dennis Williams
> DBA, 80%OCP, 100% DBA
> Lifetouch, Inc.
> [EMAIL PROTECTED]
>
> -Original Message-
> Sent: Thursday, August 28, 2003 11:10 AM
> To: Multiple recipients of list ORACLE-L
>
>
> Well, first of all, root should not be in your dba group...
>
> -Original Message-
> Sent: Thursday, August 28, 2003 8:34 AM
> To: Multiple recipients of list ORACLE-L
>
>
> Just for grins, I'll ask this question... Is there any way to keep the
Unix
> "root" user from logging into the database (i.e. connect internal or / as
> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>
> We have a couple people in our Unix admin group that feel the need to
"help"
> by writing their own DB monitoring scripts. Of course, they don't know
what
> they're talking about. They do not have formal logins for the database,
but
> since they are root users they are connecting via "connect internal". This
> is not only counterproductive but actually a potential security
issue--just
> because someone has root doesn't necessarily entitle them to see the data
in
> the database. What if it is a payroll database?
>
> So, I'm curious, is there any way to prevent access via "connect internal"
> or "/ as sysdba"?
>
> Thanks in advance.
>
> W
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: DENNIS WILLIAMS
>   INET: [EMAIL PROTECTED]
>
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).

--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Ari Kaplan
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-09-02 Thread Tanel Poder

> Instead of trying to do things in software, which was designed not to
resist
> the "root" user,
> why don't we concentrate on specialized hardware and procedures which
exist
> for that purpose?
> Guns, threats of violence and blackmail are excellent means of keeping the
> system administrator
> out of the database. After all  they're only human and chances are that a

One more solution would be to migrate to Windows. Then you won't have any
root user.

Tanel.


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Tanel Poder
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Ron Thomas


ROFL

Dirty Harry--  One of my favorite movie characters

Ron Thomas
Hypercom, Inc
[EMAIL PROTECTED]
Each new user of a new system uncovers a new class of bugs. -- Kernighan


   
 
  [EMAIL PROTECTED]
 
  g.comTo:   [EMAIL PROTECTED] 
  
  Sent by: cc: 
 
  [EMAIL PROTECTED]Subject:  RE: How to keep "root" out?   
 
  .com 
 
   
 
   
 
  09/02/2003 10:44 
 
  AM   
 
  Please respond to
 
  ORACLE-L 
 
   
 
   
 




OK, everybody is talking about serious software projects designed to keep
the "root"
user outside of the database. The root user in unix corresponds  to the
Christian notion of
God, particularly when it comes to throwing lightning bolts around.
Fortunately for us, there is
no analogy with Leda and Swan story in Unix SA world.
Essentially, the task is defined as "keep the deity out of the database" and
that is not easy.
Instead of trying to do things in software, which was designed not to resist
the "root" user,
why don't we concentrate on specialized hardware and procedures which exist
for that purpose?
Guns, threats of violence and blackmail are excellent means of keeping the
system administrator
out of the database. After all  they're only human and chances are that a
question like
"Do ya feel lucky? Well, do ya...root?" will be answered with a resounding
"no".  Our goal
is thus achieved by saving the company time and money. Yet another
productive day goes by.
Go ahead, make my data.

--
Mladen Gogala
Oracle DBA



-Original Message-
Brian Dunbar
Sent: Tuesday, September 02, 2003 11:54 AM
To: Multiple recipients of list ORACLE-L


Replying to the original post;

Walter K <mailto:[EMAIL PROTECTED]>  on Thursday, August 28, 2003 6:34
PM said;

> Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the
> database (i.e. connect internal or / as sysdba)? Currently using
> 8.1.7.4
on Solaris 8 here.

> We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring
> scripts. Of course, they don't know what they're talking about.

My perspective is as the system admin who owns the boxes where the databases
live, and as caretaker of some of the applications aboard those servers.

You can jump through hoops to keep root out of the database, but you run the
great risk of locking yourself out of the database if as a last resort
access is somehow removed for all users.  That is what root is for, after
all.  If you can't trust your admins, you've got bigger problems than this.

My suggestion (echoed by others here) is to work with your admins, and tell
them why what they are doing is a bad idea.  If you can give them their own
'backdoor' to the database or a safe way to view the data, you'll both be
better off.

~brian
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Brian Dunbar
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-

RE: How to keep "root" out?

2003-09-02 Thread Mladen Gogala

OK, everybody is talking about serious software projects designed to keep
the "root"
user outside of the database. The root user in unix corresponds  to the
Christian notion of 
God, particularly when it comes to throwing lightning bolts around.
Fortunately for us, there is 
no analogy with Leda and Swan story in Unix SA world.
Essentially, the task is defined as "keep the deity out of the database" and
that is not easy.
Instead of trying to do things in software, which was designed not to resist
the "root" user, 
why don't we concentrate on specialized hardware and procedures which exist
for that purpose?
Guns, threats of violence and blackmail are excellent means of keeping the
system administrator
out of the database. After all  they're only human and chances are that a
question like
"Do ya feel lucky? Well, do ya...root?" will be answered with a resounding
"no".  Our goal 
is thus achieved by saving the company time and money. Yet another
productive day goes by.
Go ahead, make my data.

--
Mladen Gogala
Oracle DBA 



-Original Message-
Brian Dunbar
Sent: Tuesday, September 02, 2003 11:54 AM
To: Multiple recipients of list ORACLE-L


Replying to the original post;

Walter K   on Thursday, August 28, 2003 6:34
PM said;

> Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the 
> database (i.e. connect internal or / as sysdba)? Currently using 
> 8.1.7.4
on Solaris 8 here. 

> We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring 
> scripts. Of course, they don't know what they're talking about.

My perspective is as the system admin who owns the boxes where the databases
live, and as caretaker of some of the applications aboard those servers.

You can jump through hoops to keep root out of the database, but you run the
great risk of locking yourself out of the database if as a last resort
access is somehow removed for all users.  That is what root is for, after
all.  If you can't trust your admins, you've got bigger problems than this.

My suggestion (echoed by others here) is to work with your admins, and tell
them why what they are doing is a bad idea.  If you can give them their own
'backdoor' to the database or a safe way to view the data, you'll both be
better off.

~brian
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Brian Dunbar
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).



Note:
This message is for the named person's use only.  It may contain confidential, 
proprietary or legally privileged information.  No confidentiality or privilege is 
waived or lost by any mistransmission.  If you receive this message in error, please 
immediately delete it and all copies of it from your system, destroy any hard copies 
of it and notify the sender.  You must not, directly or indirectly, use, disclose, 
distribute, print, or copy any part of this message if you are not the intended 
recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to 
monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where 
the message states otherwise and the sender is authorized to state them to be the 
views of any such entity.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mladen Gogala
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Brian Dunbar

Replying to the original post;

Walter K   on Thursday, August 28, 2003 6:34
PM said;

> Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the 
> database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4
on Solaris 8 here. 

> We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring 
> scripts. Of course, they don't know what they're talking about.

My perspective is as the system admin who owns the boxes where the databases
live, and as caretaker of some of the applications aboard those servers.

You can jump through hoops to keep root out of the database, but you run the
great risk of locking yourself out of the database if as a last resort
access is somehow removed for all users.  That is what root is for, after
all.  If you can't trust your admins, you've got bigger problems than this.

My suggestion (echoed by others here) is to work with your admins, and tell
them why what they are doing is a bad idea.  If you can give them their own
'backdoor' to the database or a safe way to view the data, you'll both be
better off.

~brian
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Brian Dunbar
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-09-02 Thread Sinardy Xing

well root can kill that background process, 
why not use password file? ok root can delete this file, how about use 9i, 
i have not ugrade to 9i any complaint from 9i users?

-Original Message-
Sent: 02 September 2003 10:02
To: '[EMAIL PROTECTED]'


Hi,

my point is whenever you see username = sys or system we kill those users, 
do you think this can work?

I don't know the impact to the system, well we can use a trigger that spool a temp 
script then os while [true]
loop that listen to such script then execute it.

kind of messy I think, but there must be a way to prevent internal(sys) or system from 
coming in.


Sinardy

-Original Message-
Sent: 01 September 2003 18:05
To: Multiple recipients of list ORACLE-L


Hi!

> I have an idea
>
> 1. Use let say My_Tursted_SA schema, write a trigger that will disconnect
new login as SYS or SYSTEM

How exactly are you planning to disconnect the login? You can't kill your
own session, there's no disconnect or exit command in pl/sql. Only way I
know is to generate an unhandled exception which doesn't allow to log on (or
use an external library to kill your own server process from OS level, but
this gets unnecessarily complicated).

> 2. If you want to use sys or system, you login as My_Trusted_SA disable
the trigger.

Sys & system do have the administer database trigger privilege, thus they
can log on even if the logon trigger fires an unhandled exception.

Cheers,
Tanel.


>
> What do you think?
>
>
> Sinardy
>
> -Original Message-
> Richard Ji
> Sent: 31 August 2003 13:39
> To: Multiple recipients of list ORACLE-L
>
>
> A strange loop eh?  You must have read GEB. :)
>
>
> -Original Message-
> From: Tim Gorman [mailto:[EMAIL PROTECTED]
> Sent: Sat 8/30/2003 12:49 AM
> To: Multiple recipients of list ORACLE-L
> Cc:
> Subject: Re: How to keep "root" out?
> A...
>
> But if you encrypt it, where do you keep the key?  How do you retrieve it
> for use?  Don¹t forget to follow the problem to the next step...
>
> ...and when you do, you realize that if nobody can be trusted, then the
> problem of security becomes an Escher print, or a Mobius strip, or the
> infinity symbol, or the exact value of ³pi²...
>
>
>
> on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:
>
> > We assume the SA don't know much about Oracle.  But if some one is
> > particularly interested in
> > getting into the database, he might be on this list as well learning all
our
> > defense mechanisms. :)
> > Or doesn't have to be subscribed to it since this list is mirrored other
> > places and google is his friend.
> > I think the bottom line is, if you absolutely don't want the data to be
seen,
> > encrypt it.
> >
> > My 2 cents.
> >
> > Richard Ji
> >> -Original Message-
> >> From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
> >> Sent: Friday, August 29, 2003 10:31 AM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: RE: How to keep "root" out?
> >>
> > Walt,
> >
> > Something that has not been suggested - migrate your database to 9.2.
Connect
> > as internal goes away.
> >
> > Other than that, I think the best suggestion you got was a conversation,
and
> > granting access to the v$ tables thru a specific account for that
person.
> >
> > And then put a long trigger in place tracking all connections to the
database.
> > Keep track of all SYS connections.  At least you know when things
happen.  And
> > periodically review the init.ora file for the database to make sure that
> > nobody changes anything.
> >
> > Good Luck!
> >
> > Tom Mercadante
> > Oracle Certified Professional
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >> Sent: Thursday, August 28, 2003 4:50 PM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: Re: How to keep "root" out?
> >>
> >>
> >> But someone determined to get in the database can simply edit
sqlnet.ora
> >>
> >>
> >>
> >> "Tanel Poder" <[EMAIL PROTECTED]>
> >> Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM
> >>  Please respond to ORACLE-L
> >>
> >> To:Multiple recipients of list ORACLE-L
> >> <[EMAIL PROTECTED]>
> >> cc:
> >> Subject:Re: How to keep "root" out?
> >>
> >>
> >> Hi!
> >>
> >> Put sqlnet.authentication_services = none in your serv

RE: How to keep "root" out?

2003-09-02 Thread Sinardy Xing

Hi,

my point is whenever you see username = sys or system we kill those users, 
do you think this can work?

I don't know the impact to the system, well we can use a trigger that spool a temp 
script then os while [true]
loop that listen to such script then execute it.

kind of messy I think, but there must be a way to prevent internal(sys) or system from 
coming in.


Sinardy

-Original Message-
Sent: 01 September 2003 18:05
To: Multiple recipients of list ORACLE-L


Hi!

> I have an idea
>
> 1. Use let say My_Tursted_SA schema, write a trigger that will disconnect
new login as SYS or SYSTEM

How exactly are you planning to disconnect the login? You can't kill your
own session, there's no disconnect or exit command in pl/sql. Only way I
know is to generate an unhandled exception which doesn't allow to log on (or
use an external library to kill your own server process from OS level, but
this gets unnecessarily complicated).

> 2. If you want to use sys or system, you login as My_Trusted_SA disable
the trigger.

Sys & system do have the administer database trigger privilege, thus they
can log on even if the logon trigger fires an unhandled exception.

Cheers,
Tanel.


>
> What do you think?
>
>
> Sinardy
>
> -Original Message-
> Richard Ji
> Sent: 31 August 2003 13:39
> To: Multiple recipients of list ORACLE-L
>
>
> A strange loop eh?  You must have read GEB. :)
>
>
> -Original Message-
> From: Tim Gorman [mailto:[EMAIL PROTECTED]
> Sent: Sat 8/30/2003 12:49 AM
> To: Multiple recipients of list ORACLE-L
> Cc:
> Subject: Re: How to keep "root" out?
> A...
>
> But if you encrypt it, where do you keep the key?  How do you retrieve it
> for use?  Don¹t forget to follow the problem to the next step...
>
> ...and when you do, you realize that if nobody can be trusted, then the
> problem of security becomes an Escher print, or a Mobius strip, or the
> infinity symbol, or the exact value of ³pi²...
>
>
>
> on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:
>
> > We assume the SA don't know much about Oracle.  But if some one is
> > particularly interested in
> > getting into the database, he might be on this list as well learning all
our
> > defense mechanisms. :)
> > Or doesn't have to be subscribed to it since this list is mirrored other
> > places and google is his friend.
> > I think the bottom line is, if you absolutely don't want the data to be
seen,
> > encrypt it.
> >
> > My 2 cents.
> >
> > Richard Ji
> >> -Original Message-
> >> From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
> >> Sent: Friday, August 29, 2003 10:31 AM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: RE: How to keep "root" out?
> >>
> > Walt,
> >
> > Something that has not been suggested - migrate your database to 9.2.
Connect
> > as internal goes away.
> >
> > Other than that, I think the best suggestion you got was a conversation,
and
> > granting access to the v$ tables thru a specific account for that
person.
> >
> > And then put a long trigger in place tracking all connections to the
database.
> > Keep track of all SYS connections.  At least you know when things
happen.  And
> > periodically review the init.ora file for the database to make sure that
> > nobody changes anything.
> >
> > Good Luck!
> >
> > Tom Mercadante
> > Oracle Certified Professional
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >> Sent: Thursday, August 28, 2003 4:50 PM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: Re: How to keep "root" out?
> >>
> >>
> >> But someone determined to get in the database can simply edit
sqlnet.ora
> >>
> >>
> >>
> >> "Tanel Poder" <[EMAIL PROTECTED]>
> >> Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM
> >>  Please respond to ORACLE-L
> >>
> >> To:Multiple recipients of list ORACLE-L
> >> <[EMAIL PROTECTED]>
> >> cc:
> >> Subject:Re: How to keep "root" out?
> >>
> >>
> >> Hi!
> >>
> >> Put sqlnet.authentication_services = none in your server's sqlnet.ora.
Then
> >> everyone has to use a password.
> >>
> >> Tanel.
> >>
> >> - Original Message -
> >> From: Walter K <mailto:[EMAIL PROTECTED]>
> >> To: Multiple recipients of l

Re: How to keep "root" out?

2003-09-01 Thread Tanel Poder

Hi!

> I have an idea
>
> 1. Use let say My_Tursted_SA schema, write a trigger that will disconnect
new login as SYS or SYSTEM

How exactly are you planning to disconnect the login? You can't kill your
own session, there's no disconnect or exit command in pl/sql. Only way I
know is to generate an unhandled exception which doesn't allow to log on (or
use an external library to kill your own server process from OS level, but
this gets unnecessarily complicated).

> 2. If you want to use sys or system, you login as My_Trusted_SA disable
the trigger.

Sys & system do have the administer database trigger privilege, thus they
can log on even if the logon trigger fires an unhandled exception.

Cheers,
Tanel.


>
> What do you think?
>
>
> Sinardy
>
> -Original Message-
> Richard Ji
> Sent: 31 August 2003 13:39
> To: Multiple recipients of list ORACLE-L
>
>
> A strange loop eh?  You must have read GEB. :)
>
>
> -Original Message-
> From: Tim Gorman [mailto:[EMAIL PROTECTED]
> Sent: Sat 8/30/2003 12:49 AM
> To: Multiple recipients of list ORACLE-L
> Cc:
> Subject: Re: How to keep "root" out?
> A...
>
> But if you encrypt it, where do you keep the key?  How do you retrieve it
> for use?  Don¹t forget to follow the problem to the next step...
>
> ...and when you do, you realize that if nobody can be trusted, then the
> problem of security becomes an Escher print, or a Mobius strip, or the
> infinity symbol, or the exact value of ³pi²...
>
>
>
> on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:
>
> > We assume the SA don't know much about Oracle.  But if some one is
> > particularly interested in
> > getting into the database, he might be on this list as well learning all
our
> > defense mechanisms. :)
> > Or doesn't have to be subscribed to it since this list is mirrored other
> > places and google is his friend.
> > I think the bottom line is, if you absolutely don't want the data to be
seen,
> > encrypt it.
> >
> > My 2 cents.
> >
> > Richard Ji
> >> -Original Message-
> >> From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
> >> Sent: Friday, August 29, 2003 10:31 AM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: RE: How to keep "root" out?
> >>
> > Walt,
> >
> > Something that has not been suggested - migrate your database to 9.2.
Connect
> > as internal goes away.
> >
> > Other than that, I think the best suggestion you got was a conversation,
and
> > granting access to the v$ tables thru a specific account for that
person.
> >
> > And then put a long trigger in place tracking all connections to the
database.
> > Keep track of all SYS connections.  At least you know when things
happen.  And
> > periodically review the init.ora file for the database to make sure that
> > nobody changes anything.
> >
> > Good Luck!
> >
> > Tom Mercadante
> > Oracle Certified Professional
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >> Sent: Thursday, August 28, 2003 4:50 PM
> >> To: Multiple recipients of list ORACLE-L
> >> Subject: Re: How to keep "root" out?
> >>
> >>
> >> But someone determined to get in the database can simply edit
sqlnet.ora
> >>
> >>
> >>
> >> "Tanel Poder" <[EMAIL PROTECTED]>
> >> Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM
> >>  Please respond to ORACLE-L
> >>
> >> To:Multiple recipients of list ORACLE-L
> >> <[EMAIL PROTECTED]>
> >> cc:
> >> Subject:Re: How to keep "root" out?
> >>
> >>
> >> Hi!
> >>
> >> Put sqlnet.authentication_services = none in your server's sqlnet.ora.
Then
> >> everyone has to use a password.
> >>
> >> Tanel.
> >>
> >> - Original Message -
> >> From: Walter K <mailto:[EMAIL PROTECTED]>
> >> To: Multiple recipients of list ORACLE-L <mailto:[EMAIL PROTECTED]>
> >> Sent: Thursday, August 28, 2003 6:34 PM
> >> Subject: How to keep "root" out?
> >>
> >> Just for grins, I'll ask this question... Is there any way to keep the
Unix
> >> "root" user from logging into the database (i.e. connect internal or /
as
> >> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
> >>
> >> We have a couple people in our U

RE: How to keep "root" out?

2003-09-01 Thread Sinardy Xing

I have an idea

1. Use let say My_Tursted_SA schema, write a trigger that will disconnect new login as 
SYS or SYSTEM 
2. If you want to use sys or system, you login as My_Trusted_SA disable the trigger.

What do you think?


Sinardy

-Original Message-
Richard Ji
Sent: 31 August 2003 13:39
To: Multiple recipients of list ORACLE-L


A strange loop eh?  You must have read GEB. :)


-Original Message-
From:   Tim Gorman [mailto:[EMAIL PROTECTED]
Sent:   Sat 8/30/2003 12:49 AM
To: Multiple recipients of list ORACLE-L
Cc: 
Subject:Re: How to keep "root" out?
A...

But if you encrypt it, where do you keep the key?  How do you retrieve it
for use?  Don¹t forget to follow the problem to the next step...

...and when you do, you realize that if nobody can be trusted, then the
problem of security becomes an Escher print, or a Mobius strip, or the
infinity symbol, or the exact value of ³pi²...



on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:

> We assume the SA don't know much about Oracle.  But if some one is
> particularly interested in
> getting into the database, he might be on this list as well learning all our
> defense mechanisms. :)
> Or doesn't have to be subscribed to it since this list is mirrored other
> places and google is his friend.
> I think the bottom line is, if you absolutely don't want the data to be seen,
> encrypt it.
>  
> My 2 cents.
>  
> Richard Ji
>> -Original Message-
>> From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
>> Sent: Friday, August 29, 2003 10:31 AM
>> To: Multiple recipients of list ORACLE-L
>> Subject: RE: How to keep "root" out?
>> 
> Walt,
>  
> Something that has not been suggested - migrate your database to 9.2.  Connect
> as internal goes away.
>  
> Other than that, I think the best suggestion you got was a conversation, and
> granting access to the v$ tables thru a specific account for that person.
> 
> And then put a long trigger in place tracking all connections to the database.
> Keep track of all SYS connections.  At least you know when things happen.  And
> periodically review the init.ora file for the database to make sure that
> nobody changes anything.
>  
> Good Luck!
>  
> Tom Mercadante 
> Oracle Certified Professional
>> 
>> -Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, August 28, 2003 4:50 PM
>> To: Multiple recipients of list ORACLE-L
>> Subject: Re: How to keep "root" out?
>> 
>> 
>> But someone determined to get in the database can simply edit sqlnet.ora
>> 
>> 
>> 
>> "Tanel Poder" <[EMAIL PROTECTED]>
>> Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM
>>  Please respond to ORACLE-L
>> 
>> To:Multiple recipients of list ORACLE-L
>> <[EMAIL PROTECTED]>
>> cc: 
>> Subject:Re: How to keep "root" out?
>> 
>> 
>> Hi! 
>>   
>> Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then
>> everyone has to use a password.
>>   
>> Tanel. 
>>   
>> - Original Message -
>> From: Walter K <mailto:[EMAIL PROTECTED]>
>> To: Multiple recipients of list ORACLE-L <mailto:[EMAIL PROTECTED]>
>> Sent: Thursday, August 28, 2003 6:34 PM
>> Subject: How to keep "root" out?
>> 
>> Just for grins, I'll ask this question... Is there any way to keep the Unix
>> "root" user from logging into the database (i.e. connect internal or / as
>> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>>   
>> We have a couple people in our Unix admin group that feel the need to "help"
>> by writing their own DB monitoring scripts. Of course, they don't know what
>> they're talking about. They do not have formal logins for the database, but
>> since they are root users they are connecting via "connect internal". This is
>> not only counterproductive but actually a potential security issue--just
>> because someone has root doesn't necessarily entitle them to see the data in
>> the database. What if it is a payroll database?
>>   
>> So, I'm curious, is there any way to prevent access via "connect internal" or
>> "/ as sysdba"? 
>>   
>> Thanks in advance.
>>   
>> W 
>> 
> 



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Sinardy Xing
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-31 Thread Richard Ji

A strange loop eh?  You must have read GEB. :)


-Original Message-
From:   Tim Gorman [mailto:[EMAIL PROTECTED]
Sent:   Sat 8/30/2003 12:49 AM
To: Multiple recipients of list ORACLE-L
Cc: 
Subject:Re: How to keep "root" out?
A...

But if you encrypt it, where do you keep the key?  How do you retrieve it
for use?  Don¹t forget to follow the problem to the next step...

...and when you do, you realize that if nobody can be trusted, then the
problem of security becomes an Escher print, or a Mobius strip, or the
infinity symbol, or the exact value of ³pi²...



on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:

> We assume the SA don't know much about Oracle.  But if some one is
> particularly interested in
> getting into the database, he might be on this list as well learning all our
> defense mechanisms. :)
> Or doesn't have to be subscribed to it since this list is mirrored other
> places and google is his friend.
> I think the bottom line is, if you absolutely don't want the data to be seen,
> encrypt it.
>  
> My 2 cents.
>  
> Richard Ji
>> -Original Message-
>> From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
>> Sent: Friday, August 29, 2003 10:31 AM
>> To: Multiple recipients of list ORACLE-L
>> Subject: RE: How to keep "root" out?
>> 
> Walt,
>  
> Something that has not been suggested - migrate your database to 9.2.  Connect
> as internal goes away.
>  
> Other than that, I think the best suggestion you got was a conversation, and
> granting access to the v$ tables thru a specific account for that person.
> 
> And then put a long trigger in place tracking all connections to the database.
> Keep track of all SYS connections.  At least you know when things happen.  And
> periodically review the init.ora file for the database to make sure that
> nobody changes anything.
>  
> Good Luck!
>  
> Tom Mercadante 
> Oracle Certified Professional
>> 
>> -Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, August 28, 2003 4:50 PM
>> To: Multiple recipients of list ORACLE-L
>> Subject: Re: How to keep "root" out?
>> 
>> 
>> But someone determined to get in the database can simply edit sqlnet.ora
>> 
>> 
>> 
>> "Tanel Poder" <[EMAIL PROTECTED]>
>> Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM
>>  Please respond to ORACLE-L
>> 
>> To:Multiple recipients of list ORACLE-L
>> <[EMAIL PROTECTED]>
>> cc: 
>> Subject:Re: How to keep "root" out?
>> 
>> 
>> Hi! 
>>   
>> Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then
>> everyone has to use a password.
>>   
>> Tanel. 
>>   
>> - Original Message -
>> From: Walter K <mailto:[EMAIL PROTECTED]>
>> To: Multiple recipients of list ORACLE-L <mailto:[EMAIL PROTECTED]>
>> Sent: Thursday, August 28, 2003 6:34 PM
>> Subject: How to keep "root" out?
>> 
>> Just for grins, I'll ask this question... Is there any way to keep the Unix
>> "root" user from logging into the database (i.e. connect internal or / as
>> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>>   
>> We have a couple people in our Unix admin group that feel the need to "help"
>> by writing their own DB monitoring scripts. Of course, they don't know what
>> they're talking about. They do not have formal logins for the database, but
>> since they are root users they are connecting via "connect internal". This is
>> not only counterproductive but actually a potential security issue--just
>> because someone has root doesn't necessarily entitle them to see the data in
>> the database. What if it is a payroll database?
>>   
>> So, I'm curious, is there any way to prevent access via "connect internal" or
>> "/ as sysdba"? 
>>   
>> Thanks in advance.
>>   
>> W 
>> 
> 



<>

Re: How to keep "root" out?

2003-08-30 Thread Corniche Park

>Put the following code snippet
>  "if [ "$LOGNAME" = "root" ];
> then init 0
>   fi;
>  in your oraenv. I guarantee you that the SA will no longer be
connecting >as SYSDBA.

May be it will happen once. A smart SA will suppress it next time.
OR he/she can always create another OS account with id = 0,gid (root)
and then use that subsequently while trying to use oracle OR
log in as 'x' which is a non root account and then
su root, followed by cd $ORACLE_HOME, source .profile/oraenv, get going.


GovindanK

> MessageBetter yet, put the following lines
>
> echo ORA-600 [kgfdjjks] [scdcsc] [dssdcdcsdc] [45] [999] Unauthorized root
> access
>
> then print some garbage into a file named like the regular trace files in
> user_dump_dest directory. Open up a iTAR and show this "trace" file to
> your SA's manager, along with the TAR number. Let the fun begin.
>   - Original Message -
>   From: Mladen Gogala
>   To: Multiple recipients of list ORACLE-L
>   Sent: Thursday, August 28, 2003 1:04 PM
>   Subject: RE: How to keep "root" out?
>
>
>   Put the following code snippet
>
>   "if [ "$LOGNAME" = "root" ];
>   then init 0
>fi;
>
>   in your oraenv. I guarantee you that the SA will no longer be connecting
> as SYSDBA.
>
>
>   --
>   Mladen Gogala
>   Oracle DBA
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Walter K
> Sent: Thursday, August 28, 2003 11:34 AM
> To: Multiple recipients of list ORACLE-L
> Subject: How to keep "root" out?
>
>
> Just for grins, I'll ask this question... Is there any way to keep the
> Unix "root" user from logging into the database (i.e. connect internal
> or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>
> We have a couple people in our Unix admin group that feel the need to
> "help" by writing their own DB monitoring scripts. Of course, they
> don't know what they're talking about. They do not have formal logins
> for the database, but since they are root users they are connecting
> via "connect internal". This is not only counterproductive but
> actually a potential security issue--just because someone has root
> doesn't necessarily entitle them to see the data in the database. What
> if it is a payroll database?
>
> So, I'm curious, is there any way to prevent access via "connect
> internal" or "/ as sysdba"?
>
> Thanks in advance.
>
> W
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Corniche Park
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-08-30 Thread Tim Gorman

Title: Re: How to keep "root" out?



A...

But if you encrypt it, where do you keep the key?  How do you retrieve it for use?  Don’t forget to follow the problem to the next step...

...and when you do, you realize that if nobody can be trusted, then the problem of security becomes an Escher print, or a Mobius strip, or the infinity symbol, or the exact value of “pi”...



on 8/29/03 9:29 AM, Richard Ji at [EMAIL PROTECTED] wrote:

We assume the SA don't know much about Oracle.  But if some one is particularly interested in
getting into the database, he might be on this list as well learning all our defense mechanisms. :)
Or doesn't have to be subscribed to it since this list is mirrored other places and google is his friend.
I think the bottom line is, if you absolutely don't want the data to be seen, encrypt it.
 
My 2 cents.
 
Richard Ji
-Original Message-
From: Mercadante, Thomas F [mailto:[EMAIL PROTECTED]
Sent: Friday, August 29, 2003 10:31 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: How to keep "root" out?

Walt,
 
Something that has not been suggested - migrate your database to 9.2.  Connect as internal goes away.
 
Other than that, I think the best suggestion you got was a conversation, and granting access to the v$ tables thru a specific account for that person.

And then put a long trigger in place tracking all connections to the database.  Keep track of all SYS connections.  At least you know when things happen.  And periodically review the init.ora file for the database to make sure that nobody changes anything.
 
Good Luck!
 
Tom Mercadante 
Oracle Certified Professional 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 28, 2003 4:50 PM
To: Multiple recipients of list ORACLE-L
Subject: Re: How to keep "root" out?


But someone determined to get in the database can simply edit sqlnet.ora 



"Tanel Poder" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]  08/28/2003 10:24 AM 
 Please respond to ORACLE-L 
    
To:    Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> 
    cc:     
    Subject:    Re: How to keep "root" out?


Hi! 
  
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then everyone has to use a password. 
  
Tanel. 
  
- Original Message - 
From: Walter K   
To: Multiple recipients of list ORACLE-L   
Sent: Thursday, August 28, 2003 6:34 PM 
Subject: How to keep "root" out? 

Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here. 
  
We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database? 
  
So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"? 
  
Thanks in advance. 
  
W

RE: How to keep "root" out?

2003-08-29 Thread Jesse, Rich

We don't like nobody and we're taking over, using our strange and wonderful
mutant powers if necessary.  That and a 10g install on RedHat 10.

Rich

Rich Jesse   System/Database Administrator
[EMAIL PROTECTED]  Quad/Tech Inc, Sussex, WI USA



-Original Message-
Sent: Friday, August 29, 2003 2:05 PM
To: Multiple recipients of list ORACLE-L


What about those mutants?
-Original Message-
Sent: Friday, August 29, 2003 1:44 PM
To: Multiple recipients of list ORACLE-L


Nope. It's against the law of evolution. SA has to work hard evolve to
become a DBA. The regular, unevolved specimens
of systemadministraticus vulgaris would be bored to death on this list. It's
about the survival of the fittest, remember?


--
Mladen Gogala
Oracle DBA 
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jesse, Rich
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-29 Thread Richard Ji

Title: Message

What
about those mutants?

-Original Message-From: Mladen Gogala
[mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003 1:44
PMTo: Multiple recipients of list ORACLE-LSubject: RE:
How to keep "root" out?
Nope. It's against the law of evolution. SA has to work
hard evolve to become a DBA. The regular, unevolved
specimens
of
systemadministraticus vulgaris would be bored to death on this list. It's
about the survival of the fittest, remember?
--Mladen GogalaOracle DBA

-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Richard JiSent: Friday, August 29, 2003 12:29
PMTo: Multiple recipients of list ORACLE-LSubject: RE:
How to keep "root" out?
We
assume the SA don't know much about Oracle. But if some one is
particularly interested in
getting into the database, he might be on this list
as well learning all our defense mechanisms. :)
Or
doesn't have to be subscribed to it since this list is mirrored other places
and google is his friend.
I
think the bottom line is, if you absolutely don't want the data to be seen,
encrypt it.
My
2 cents.
Richard Ji

-Original Message-From: Mercadante, Thomas F
[mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003
10:31 AMTo: Multiple recipients of list
ORACLE-LSubject: RE: How to keep "root"
out?
Walt,
Something that has not been suggested - migrate your database to
9.2. Connect as internal goes away.
Other than that, I think the best suggestion you got was a
conversation, and granting access to the v$ tables thru a specific account
for that person.
And then put a long trigger
in place tracking all connections to the database. Keep track of all
SYS connections. At least you know when things happen. And
periodically review the init.ora file for the database to make sure that
nobody changes anything.
Good Luck!
Tom Mercadante Oracle Certified Professional

-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent:
Thursday, August 28, 2003 4:50 PMTo: Multiple recipients of
list ORACLE-LSubject: Re: How to keep "root"
out?But someone
determined to get in the database can simply edit sqlnet.ora

"Tanel Poder"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED]
08/28/2003 10:24 AM
Please respond to ORACLE-L
To: Multiple recipients of list
ORACLE-L <[EMAIL PROTECTED]> cc:
Subject:
Re: How to keep "root"
out?Hi!
Put sqlnet.authentication_services = none in
your server's sqlnet.ora. Then everyone has to use a password.
Tanel. -
Original Message - From: Walter K To: Multiple recipients of list
ORACLE-L
Sent: Thursday,
August 28, 2003 6:34 PM Subject: How to keep "root" out? Just for grins, I'll ask this question...
Is there any way to keep the Unix "root" user from logging into the
database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4
on Solaris 8 here. We have a
couple people in our Unix admin group that feel the need to "help" by
writing their own DB monitoring scripts. Of course, they don't know what
they're talking about. They do not have formal logins for the database,
but since they are root users they are connecting via "connect
internal". This is not only counterproductive but actually a potential
security issue--just because someone has root doesn't necessarily
entitle them to see the data in the database. What if it is a payroll
database?
So, I'm curious, is there any
way to prevent access via "connect internal" or "/ as sysdba"?
Thanks in advance. W

Note:
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and notify
the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not

RE: How to keep "root" out?

2003-08-29 Thread Mladen Gogala

Title: Message



Nope. 
It's against the law of evolution. SA has to work hard evolve to become a 
DBA. The regular, unevolved specimens
of 
systemadministraticus vulgaris would be bored to death on this list. It's 
about the survival of the fittest, remember?
 
 
--Mladen GogalaOracle DBA 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
  Richard JiSent: Friday, August 29, 2003 12:29 PMTo: 
  Multiple recipients of list ORACLE-LSubject: RE: How to keep "root" 
  out?
  We 
  assume the SA don't know much about Oracle.  But if some one is 
  particularly interested in
  getting into the database, he might be on this list 
  as well learning all our defense mechanisms. :)
  Or 
  doesn't have to be subscribed to it since this list is mirrored other places 
  and google is his friend.
  I 
  think the bottom line is, if you absolutely don't want the data to be seen, 
  encrypt it.
   
  My 2 
  cents.
   
  Richard Ji
  
-Original Message-From: Mercadante, Thomas F 
[mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003 
10:31 AMTo: Multiple recipients of list 
    ORACLE-LSubject: RE: How to keep "root" out?
Walt,
 
Something that has not been suggested - migrate your database to 
9.2.  Connect as internal goes away.
 
Other than that, I think the best suggestion you got was a 
conversation, and granting access to the v$ tables thru a specific account 
for that person.
And then put a long trigger 
in place tracking all connections to the database.  Keep track of all 
SYS connections.  At least you know when things happen.  And 
periodically review the init.ora file for the database to make sure that 
nobody changes anything.
 
Good Luck!
 
Tom Mercadante Oracle Certified Professional 

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 
  4:50 PMTo: Multiple recipients of list 
  ORACLE-LSubject: Re: How to keep "root" 
  out?But someone 
  determined to get in the database can simply edit sqlnet.ora 
  
  


  
  "Tanel Poder" 
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
 08/28/2003 10:24 AM 
 Please respond to ORACLE-L 
          
        
To:        Multiple recipients of list ORACLE-L 
<[EMAIL PROTECTED]>         cc:       
            
  Subject:        Re: How to keep "root" 
out?Hi!   
  Put sqlnet.authentication_services = none in 
  your server's sqlnet.ora. Then everyone has to use a password. 
    Tanel.   
  - Original Message - 
  From: Walter K To: 
  Multiple recipients of list 
  ORACLE-L 
  Sent: Thursday, 
  August 28, 2003 6:34 PM Subject: How to keep "root" out? Just for grins, I'll ask this question... Is 
  there any way to keep the Unix "root" user from logging into the database 
  (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 
  8 here.   
  We have a couple people in our 
  Unix admin group that feel the need to "help" by writing their own DB 
  monitoring scripts. Of course, they don't know what they're talking about. 
  They do not have formal logins for the database, but since they are root 
  users they are connecting via "connect internal". This is not only 
  counterproductive but actually a potential security issue--just because 
  someone has root doesn't necessarily entitle them to see the data in the 
  database. What if it is a payroll database?   So, I'm curious, is there any way to prevent 
  access via "connect internal" or "/ as sysdba"?   Thanks in advance.   W 

 
Note:
This message is for the named person's use only.  It may contain 
confidential, proprietary or legally privileged information.  No 
confidentiality or privilege is waived or lost by any mistransmission.  If 
you receive this message in error, please immediately delete it and all 
copies of it from your system, destroy any hard copies of it and notify the 
sender.  You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient. Wang Trading 
LLC and any of its subsidiaries each reserve the right to 
monitor all e-mail communications through its networks.  Any views 
expressed in this message are those of the individual sender, except where the 
message states otherwise and the sender is authorized to state them to be the 
views of any such entity.

RE: How to keep "root" out?

2003-08-29 Thread Richard Ji




We 
assume the SA don't know much about Oracle.  But if some one is 
particularly interested in
getting into the database, he might be on this list as 
well learning all our defense mechanisms. :)
Or 
doesn't have to be subscribed to it since this list is mirrored other places and 
google is his friend.
I 
think the bottom line is, if you absolutely don't want the data to be seen, 
encrypt it.
 
My 2 
cents.
 
Richard Ji

  -Original Message-From: Mercadante, Thomas F 
  [mailto:[EMAIL PROTECTED]Sent: Friday, August 29, 2003 
  10:31 AMTo: Multiple recipients of list ORACLE-LSubject: 
  RE: How to keep "root" out?
  Walt,
   
  Something that has not been suggested - migrate your database to 
  9.2.  Connect as internal goes away.
   
  Other than that, I think the best suggestion you got was a 
  conversation, and granting access to the v$ tables thru a specific account for 
  that person.
  And then put a long trigger in 
  place tracking all connections to the database.  Keep track of all SYS 
  connections.  At least you know when things happen.  And 
  periodically review the init.ora file for the database to make sure that 
  nobody changes anything.
   
  Good Luck!
   
  Tom Mercadante Oracle Certified Professional 
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 
4:50 PMTo: Multiple recipients of list 
    ORACLE-LSubject: Re: How to keep "root" 
out?But someone 
determined to get in the database can simply edit sqlnet.ora 


  
  

"Tanel Poder" 
  <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
   08/28/2003 10:24 AM 
   Please respond to ORACLE-L 
        
          
  To:        Multiple recipients of list ORACLE-L 
  <[EMAIL PROTECTED]>         cc:       
              
        Subject:        Re: How to keep "root" 
  out?Hi!   
Put sqlnet.authentication_services = none in 
your server's sqlnet.ora. Then everyone has to use a password. 
  Tanel.   
- Original Message - 
From: Walter K 
To: Multiple recipients of list ORACLE-L Sent: Thursday, August 28, 2003 6:34 PM Subject: How to keep "root" out? 
Just for grins, I'll ask this 
question... Is there any way to keep the Unix "root" user from logging into 
the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 
on Solaris 8 here.   We have a 
couple people in our Unix admin group that feel the need to "help" by 
writing their own DB monitoring scripts. Of course, they don't know what 
they're talking about. They do not have formal logins for the database, but 
since they are root users they are connecting via "connect internal". This 
is not only counterproductive but actually a potential security issue--just 
because someone has root doesn't necessarily entitle them to see the data in 
the database. What if it is a payroll database?   So, I'm curious, is there any way to prevent access via "connect 
internal" or "/ as sysdba"?   Thanks in 
advance.   
W

RE: How to keep "root" out?

2003-08-29 Thread Jesse, Rich

Good point.  Also, SYS becomes AUDITable in 9i, which should help an
after-the-fact whodunnit, especially if the hostname (or IP) is properly
captured.  It's not prevention (I still don't think that's possible if the
user has root access), but it can provide a good trail of bread crumbs to
follow back to the crumbdumb.


Rich

Rich Jesse   System/Database Administrator
[EMAIL PROTECTED]  Quad/Tech Inc, Sussex, WI USA


-Original Message-
Sent: Friday, August 29, 2003 9:31 AM
To: Multiple recipients of list ORACLE-L


Walt,
 
Something that has not been suggested - migrate your database to 9.2.
Connect as internal goes away.
 
Other than that, I think the best suggestion you got was a conversation, and
granting access to the v$ tables thru a specific account for that person.

And then put a long trigger in place tracking all connections to the
database.  Keep track of all SYS connections.  At least you know when things
happen.  And periodically review the init.ora file for the database to make
sure that nobody changes anything.
 
Good Luck!

Tom Mercadante 
Oracle Certified Professional 
-Original Message-
Sent: Thursday, August 28, 2003 4:50 PM
To: Multiple recipients of list ORACLE-L



But someone determined to get in the database can simply edit sqlnet.ora 



"Tanel Poder" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 
 08/28/2003 10:24 AM 
 Please respond to ORACLE-L 

To:Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]> 
cc:         
    Subject:Re: How to keep "root" out?



Hi! 
  
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then
everyone has to use a password. 
  
Tanel. 
  
- Original Message - 
To: Multiple recipients of list ORACLE-L 
Sent: Thursday, August 28, 2003 6:34 PM 

Just for grins, I'll ask this question... Is there any way to keep the Unix
"root" user from logging into the database (i.e. connect internal or / as
sysdba)? Currently using 8.1.7.4 on Solaris 8 here. 
  
We have a couple people in our Unix admin group that feel the need to "help"
by writing their own DB monitoring scripts. Of course, they don't know what
they're talking about. They do not have formal logins for the database, but
since they are root users they are connecting via "connect internal". This
is not only counterproductive but actually a potential security issue--just
because someone has root doesn't necessarily entitle them to see the data in
the database. What if it is a payroll database? 
  
So, I'm curious, is there any way to prevent access via "connect internal"
or "/ as sysdba"? 
  
Thanks in advance. 
  
W 
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jesse, Rich
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-29 Thread Jared Still


Oops, so right.

The author of the SANS book is Pete Finnigan.

Jared


On Fri, 2003-08-29 at 00:49, Pete Sharman wrote:
> Much as I would like to claim credit, that's the wrong Pete you have
> there.  :)
> 
> 
> Pete
> 
> "Controlling developers is like herding cats."
> Kevin Loney, Oracle DBA Handbook
> 
> "Oh no, it's not.  It's much harder than that!"
> Bruce Pihlamae, long term Oracle DBA.
> 
> 
> 
> -Original Message-
> Jared Still
> Sent: Friday, August 29, 2003 11:14 AM
> To: Multiple recipients of list ORACLE-L
> 
> 
> The security model of Oracle on both unix and Windows
> precludes any ability to prevent access to the database
> by a knowledgeable user with root or admin access.
> 
> Pete Sharman could no doubt go into some detail here.
> 
> I bought his security book, I'll check it out when I get to work.
> 
> Could be there's something I've overlooked.  :)
> 
> Jared
> 
> On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> > Walter
> >You may be able to approach this from a security aspect. You could 
> > discuss with your management whether it is a good idea for the system 
> > administrators to be in a database. Depending on the security or SLA 
> > requirements of the database, you may have some leverage there.
> > 
> > 
> > 
> > Dennis Williams
> > DBA, 80%OCP, 100% DBA 
> > Lifetouch, Inc. 
> > [EMAIL PROTECTED] 
> > 
> > -Original Message-
> > Sent: Thursday, August 28, 2003 11:10 AM
> > To: Multiple recipients of list ORACLE-L
> > 
> > 
> > Well, first of all, root should not be in your dba group...
> > 
> > -Original Message-
> > Sent: Thursday, August 28, 2003 8:34 AM
> > To: Multiple recipients of list ORACLE-L
> > 
> > 
> > Just for grins, I'll ask this question... Is there any way to keep the
> 
> > Unix "root" user from logging into the database (i.e. connect internal
> 
> > or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
> >  
> > We have a couple people in our Unix admin group that feel the need to 
> > "help" by writing their own DB monitoring scripts. Of course, they 
> > don't know what they're talking about. They do not have formal logins 
> > for the database, but since they are root users they are connecting 
> > via "connect internal". This is not only counterproductive but 
> > actually a potential security issue--just because someone has root 
> > doesn't necessarily entitle them to see the data in the database. What
> 
> > if it is a payroll database?
> >  
> > So, I'm curious, is there any way to prevent access via "connect 
> > internal" or "/ as sysdba"?
> >  
> > Thanks in advance.
> >  
> > W
> > 
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > -- 
> > Author: DENNIS WILLIAMS
> >   INET: [EMAIL PROTECTED]
> > 
> > Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> > San Diego, California-- Mailing list and web hosting services
> > -
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in 
> > the message BODY, include a line containing: UNSUB ORACLE-L (or the 
> > name of mailing list you want to be removed from).  You may also send 
> > the HELP command for other information (like subscribing).
> 
> 
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> -- 
> Author: Jared Still
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
> message BODY, include a line containing: UNSUB ORACLE-L (or the name of
> mailing list you want to be removed from).  You may also send the HELP
> command for other information (like subscribing).
> 
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> -- 
> Author: Pete Sharman
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
> 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
---

RE: How to keep "root" out?

2003-08-29 Thread Mercadante, Thomas F

Walt,
Something that has not been suggested - migrate your database to
9.2. Connect as internal goes away.
Other
than that, I think the best suggestion you got was a conversation, and granting
access to the v$ tables thru a specific account for that
person.
And then put a long trigger in
place tracking all connections to the database. Keep track of all SYS
connections. At least you know when things happen. And periodically
review the init.ora file for the database to make sure that nobody changes
anything.
Good Luck!
Tom Mercadante Oracle Certified Professional

-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003
4:50 PMTo: Multiple recipients of list ORACLE-LSubject:
Re: How to keep "root" out?But someone determined to get in the database can simply edit
sqlnet.ora

"Tanel Poder"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED]
08/28/2003 10:24 AM
Please respond to ORACLE-L
To:
Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]> cc:
Subject: Re: How to keep "root"
out?Hi!
Put sqlnet.authentication_services = none in your server's sqlnet.ora.
Then everyone has to use a password. Tanel. - Original Message - From: Walter K To: Multiple recipients of list
ORACLE-L Sent: Thursday, August 28, 2003 6:34
PM Subject: How to keep
"root" out? Just for grins,
I'll ask this question... Is there any way to keep the Unix "root" user from
logging into the database (i.e. connect internal or / as sysdba)? Currently
using 8.1.7.4 on Solaris 8 here. We have a couple
people in our Unix admin group that feel the need to "help" by writing their
own DB monitoring scripts. Of course, they don't know what they're talking
about. They do not have formal logins for the database, but since they are
root users they are connecting via "connect internal". This is not only
counterproductive but actually a potential security issue--just because
someone has root doesn't necessarily entitle them to see the data in the
database. What if it is a payroll database? So, I'm curious, is there any way to prevent access via "connect
internal" or "/ as sysdba"? Thanks in
advance.
W

Re: How to keep "root" out?

2003-08-29 Thread Manoj Kumar Jha

Title: Re: How to keep "root" out?



Have u checked the usage of config.s 
($ORACLE_HOME/rdbms/lib)
 
This can be use to define a dba groub at os level 
which can use connect as internal..
 
 
 
 
- Original Message - 

  From: 
  Tanel 
  Poder 
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Friday, August 29, 2003 11:54 
  AM
  Subject: Re: How to keep "root" 
out?
  
  Hi!
   
  But how would you restrict an user from logging 
  on based on OSUSER value? If you create an unhandled exception, then this 
  works only for users without ADMINISTER DATABASE TRIGGER privilege. The 
  ones who have this priv (like sysdba priv provides) will be 
  able to log on without problems...
   
  Tanel.
   
  
- Original Message - 
From: 
Tim Gorman 

To: Multiple recipients of list ORACLE-L 

Sent: Friday, August 29, 2003 3:14 
    AM
    Subject: Re: How to keep "root" 
out?
Couldn't you just retrieve the column OSUSER 
from V$SESSION?Perhaps something like the following:
SQL> create or replace trigger 
  osusertrg  2 
   after 
  logon  3 
   on 
  database  4  declare  5 
   v_osuser 
     varchar2(30);  6 
   begin  7 
   dbms_output.enable(2);  8 
   select distinct 
  decode(osuser, 'root', 'root', 'not root')  9 
   into 
     v_osuser 10 
   from 
     v$session 11 
   where 
    audsid = userenv('SESSIONID'); 12 
   dbms_output.put_line('osuser 
  is "'||v_osuser||'"'); 13  end osusertrg; 14 
   /Trigger created.SQL> show errorsNo 
  errors.SQL> SQL> connect 
  scott/tigerConnected.SQL> variable buffer 
  varchar2(100)SQL> variable status numberSQL> exec 
  dbms_output.get_line(:buffer, :status)PL/SQL procedure 
  successfully completed.SQL> print 
  bufferBUFFERosuser 
  is "not root"Be aware that when 
you are connected as SYS then all sessions have the same AUDSID and 
USERENV(SESSIONID) values of 0...Hope this 
helps...-Timon 8/28/03 2:34 PM, Diego Cutrone at 
[EMAIL PROTECTED] wrote:> > I 
don't know if this will work.> But I'd write an external procedure (a 
shell) that> checks the OS userid that's logging into the> 
database...> (may be "who am i", it works even with "su")> 
> ---> bash-2.04# id> uid=0(root) 
gid=0(root) groups=0(root),48(apache)> bash-2.04# su - oracle> 
oracle::/home/oracle> who am i> costos!root 
pts/1    Aug 28 16:45> 
oracle::/home/oracle>> ---> > I'd 
put this code in the logon trigger.> I'm not sure if this will 
work with "internal" user...> > Greetings > Diego 
Cutrone> > > > >> Just for grins, I'll ask this question... Is 
there> any >way to keep the Unix "root" 
user from logging> into the >database (i.e. connect internal or / 
as> sysdba)? >Currently using 8.1.7.4 on Solaris 8 
here.>> >> We have a couple 
people in our Unix admin group that> vfeel 
the need to "help" by writing their own DB>> monitoring scripts. Of course, they don't know 
what>> t>hey're talking about. They do not have 
formal> logins >for the database, but 
since they are root> users they >are connecting via "connect 
internal".> This is not >only counterproductive but actually 
a> potential >security issue--just because someone has> 
root doesn't >necessarily entitle them to see the data> in the 
>database. What if it is a payroll database?>> >> So, I'm curious, is there any way to 
prevent access>> via "connect internal" or "/ as 
sysdba"?>> >> Thanks in advance.> > W> > > Internet 
GRATIS es Yahoo! Conexión> 4004-1010 desde Buenos Aires. Usuario: 
yahoo; contraseña: yahoo> Más ciudades: 
http://conexion.yahoo.com.ar

RE: How to keep "root" out?

2003-08-29 Thread Pete Sharman

Much as I would like to claim credit, that's the wrong Pete you have
there.  :)

Pete

"Controlling developers is like herding cats."
Kevin Loney, Oracle DBA Handbook

"Oh no, it's not.  It's much harder than that!"
Bruce Pihlamae, long term Oracle DBA.

-Original Message-
Jared Still
Sent: Friday, August 29, 2003 11:14 AM
To: Multiple recipients of list ORACLE-L

The security model of Oracle on both unix and Windows
precludes any ability to prevent access to the database
by a knowledgeable user with root or admin access.

Pete Sharman could no doubt go into some detail here.

I bought his security book, I'll check it out when I get to work.

Could be there's something I've overlooked.  :)

Jared

On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> Walter
>You may be able to approach this from a security aspect. You could 
> discuss with your management whether it is a good idea for the system 
> administrators to be in a database. Depending on the security or SLA 
> requirements of the database, you may have some leverage there.
> 
> 
> 
> Dennis Williams
> DBA, 80%OCP, 100% DBA 
> Lifetouch, Inc. 
> [EMAIL PROTECTED] 
> 
> -Original Message-
> Sent: Thursday, August 28, 2003 11:10 AM
> To: Multiple recipients of list ORACLE-L
> 
> 
> Well, first of all, root should not be in your dba group...
> 
> -Original Message-
> Sent: Thursday, August 28, 2003 8:34 AM
> To: Multiple recipients of list ORACLE-L
> 
> 
> Just for grins, I'll ask this question... Is there any way to keep the

> Unix "root" user from logging into the database (i.e. connect internal

> or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>  
> We have a couple people in our Unix admin group that feel the need to 
> "help" by writing their own DB monitoring scripts. Of course, they 
> don't know what they're talking about. They do not have formal logins 
> for the database, but since they are root users they are connecting 
> via "connect internal". This is not only counterproductive but 
> actually a potential security issue--just because someone has root 
> doesn't necessarily entitle them to see the data in the database. What

> if it is a payroll database?
>  
> So, I'm curious, is there any way to prevent access via "connect 
> internal" or "/ as sysdba"?
>  
> Thanks in advance.
>  
> W
> 
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> -- 
> Author: DENNIS WILLIAMS
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in 
> the message BODY, include a line containing: UNSUB ORACLE-L (or the 
> name of mailing list you want to be removed from).  You may also send 
> the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Sharman
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-08-29 Thread Tanel Poder

Title: Re: How to keep "root" out?



Hi!
 
But how would you restrict an user from logging on 
based on OSUSER value? If you create an unhandled exception, then this works 
only for users without ADMINISTER DATABASE TRIGGER privilege. The ones who 
have this priv (like sysdba priv provides) will be able to log on 
without problems...
 
Tanel.
 

  - Original Message - 
  From: 
  Tim Gorman 
  
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Friday, August 29, 2003 3:14 
  AM
  Subject: Re: How to keep "root" 
out?
  Couldn't you just retrieve the column OSUSER 
  from V$SESSION?Perhaps something like the following:
  SQL> create or replace trigger 
osusertrg  2 
 after 
logon  3 
 on 
database  4  declare  5 
 v_osuser 
   varchar2(30);  6 
 begin  7 
 dbms_output.enable(2);  8 
 select distinct 
decode(osuser, 'root', 'root', 'not root')  9 
 into 
   v_osuser 10 
 from 
   v$session 11 
 where 
  audsid = userenv('SESSIONID'); 12 
 dbms_output.put_line('osuser 
is "'||v_osuser||'"'); 13  end osusertrg; 14 
 /Trigger created.SQL> show errorsNo 
errors.SQL> SQL> connect scott/tigerConnected.SQL> 
variable buffer varchar2(100)SQL> variable status numberSQL> 
exec dbms_output.get_line(:buffer, :status)PL/SQL procedure 
successfully completed.SQL> print 
bufferBUFFERosuser 
is "not root"Be aware that when 
  you are connected as SYS then all sessions have the same AUDSID and 
  USERENV(SESSIONID) values of 0...Hope this 
  helps...-Timon 8/28/03 2:34 PM, Diego Cutrone at 
  [EMAIL PROTECTED] wrote:> > I 
  don't know if this will work.> But I'd write an external procedure (a 
  shell) that> checks the OS userid that's logging into the> 
  database...> (may be "who am i", it works even with "su")> 
  > ---> bash-2.04# id> uid=0(root) 
  gid=0(root) groups=0(root),48(apache)> bash-2.04# su - oracle> 
  oracle::/home/oracle> who am i> costos!root 
  pts/1    Aug 28 16:45> 
  oracle::/home/oracle>> ---> > I'd put 
  this code in the logon trigger.> I'm not sure if this will work 
  with "internal" user...> > Greetings > Diego 
  Cutrone> > > > >> Just for grins, I'll ask this question... Is 
  there> any >way to keep the Unix "root" 
  user from logging> into the >database (i.e. connect internal or / 
  as> sysdba)? >Currently using 8.1.7.4 on Solaris 8 
  here.>> >> We have a couple 
  people in our Unix admin group that> vfeel 
  the need to "help" by writing their own DB>> monitoring scripts. Of course, they don't know 
  what>> t>hey're talking about. They do not have 
  formal> logins >for the database, but 
  since they are root> users they >are connecting via "connect 
  internal".> This is not >only counterproductive but actually 
  a> potential >security issue--just because someone has> root 
  doesn't >necessarily entitle them to see the data> in the 
  >database. What if it is a payroll database?>> >> So, I'm curious, is there any way to 
  prevent access>> via "connect internal" or "/ as 
  sysdba"?>> >> Thanks in advance.> > W> > > Internet 
  GRATIS es Yahoo! Conexión> 4004-1010 desde Buenos Aires. Usuario: 
  yahoo; contraseña: yahoo> Más ciudades: 
http://conexion.yahoo.com.ar

RE: How to keep "root" out?

2003-08-29 Thread Jared Still

The security model of Oracle on both unix and Windows
precludes any ability to prevent access to the database
by a knowledgeable user with root or admin access.

Pete Sharman could no doubt go into some detail here.

I bought his security book, I'll check it out when I get to work.

Could be there's something I've overlooked.  :)

Jared

On Thu, 2003-08-28 at 09:29, DENNIS WILLIAMS wrote:
> Walter
>You may be able to approach this from a security aspect. You could
> discuss with your management whether it is a good idea for the system
> administrators to be in a database. Depending on the security or SLA
> requirements of the database, you may have some leverage there.
> 
> 
> 
> Dennis Williams 
> DBA, 80%OCP, 100% DBA 
> Lifetouch, Inc. 
> [EMAIL PROTECTED] 
> 
> -Original Message-
> Sent: Thursday, August 28, 2003 11:10 AM
> To: Multiple recipients of list ORACLE-L
> 
> 
> Well, first of all, root should not be in your dba group...
> 
> -Original Message-
> Sent: Thursday, August 28, 2003 8:34 AM
> To: Multiple recipients of list ORACLE-L
> 
> 
> Just for grins, I'll ask this question... Is there any way to keep the Unix
> "root" user from logging into the database (i.e. connect internal or / as
> sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>  
> We have a couple people in our Unix admin group that feel the need to "help"
> by writing their own DB monitoring scripts. Of course, they don't know what
> they're talking about. They do not have formal logins for the database, but
> since they are root users they are connecting via "connect internal". This
> is not only counterproductive but actually a potential security issue--just
> because someone has root doesn't necessarily entitle them to see the data in
> the database. What if it is a payroll database?
>  
> So, I'm curious, is there any way to prevent access via "connect internal"
> or "/ as sysdba"?
>  
> Thanks in advance.
>  
> W
> 
> -- 
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> -- 
> Author: DENNIS WILLIAMS
>   INET: [EMAIL PROTECTED]
> 
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-08-28 Thread Tim Gorman

Title: Re: How to keep "root" out?



Couldn't you just retrieve the column OSUSER from V$SESSION?

Perhaps something like the following:

SQL> create or replace trigger osusertrg
  2  after logon
  3  on database
  4  declare
  5  v_osuser    varchar2(30);
  6  begin
  7  dbms_output.enable(2);
  8  select distinct decode(osuser, 'root', 'root', 'not root')
  9  into    v_osuser
 10  from    v$session
 11  where   audsid = userenv('SESSIONID');
 12  dbms_output.put_line('osuser is "'||v_osuser||'"');
 13  end osusertrg;
 14  /

Trigger created.

SQL> show errors
No errors.
SQL> 
SQL> connect scott/tiger
Connected.
SQL> variable buffer varchar2(100)
SQL> variable status number
SQL> exec dbms_output.get_line(:buffer, :status)

PL/SQL procedure successfully completed.

SQL> print buffer

BUFFER

osuser is "not root"

Be aware that when you are connected as SYS then all sessions have the same AUDSID and USERENV(‘SESSIONID’) values of 0...

Hope this helps...

-Tim



on 8/28/03 2:34 PM, Diego Cutrone at [EMAIL PROTECTED] wrote:

> 
> I don't know if this will work.
> But I'd write an external procedure (a shell) that
> checks the OS userid that's logging into the
> database...
> (may be "who am i", it works even with "su")
> 
> ---
> bash-2.04# id
> uid=0(root) gid=0(root) groups=0(root),48(apache)
> bash-2.04# su - oracle
> oracle::/home/oracle> who am i
> costos!root pts/1    Aug 28 16:45
> oracle::/home/oracle>
> ---
> 
> I'd put this code in the logon trigger.
> I'm not sure if this will work with "internal" user...
> 
> Greetings 
> Diego Cutrone
> 
> 
> 
> 
>> Just for grins, I'll ask this question... Is there
> any >way to keep the Unix "root" user from logging
> into the >database (i.e. connect internal or / as
> sysdba)? >Currently using 8.1.7.4 on Solaris 8 here.
>> 
>> We have a couple people in our Unix admin group that
> vfeel the need to "help" by writing their own DB
>> monitoring scripts. Of course, they don't know what
>> t>hey're talking about. They do not have formal
> logins >for the database, but since they are root
> users they >are connecting via "connect internal".
> This is not >only counterproductive but actually a
> potential >security issue--just because someone has
> root doesn't >necessarily entitle them to see the data
> in the >database. What if it is a payroll database?
>> 
>> So, I'm curious, is there any way to prevent access
>> via "connect internal" or "/ as sysdba"?
>> 
>> Thanks in advance.
> 
> W
> 
> 
> Internet GRATIS es Yahoo! Conexión
> 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo
> Más ciudades: http://conexion.yahoo.com.ar

Re: How to keep "root" out?

2003-08-28 Thread Jared . Still

Ah, I should have perused the oraus.msg file.

Neat trick, thanks Tanel.

Jared

"Tanel Poder" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
08/28/2003 01:54 PM
Please respond to ORACLE-L

To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc:
Subject: Re: How to keep "root" out?

As an alternative for setting sqlnet.authentication_services to none, you can also set event 10063 which disables usage of OPER & DBA privileges in OSD layer. This one is probably harder to find out for a regular sysadmin (especially when you put it in a wrapped after startup trigger :)
But be careful, I don't know how exactly this event works, but it seems that I can't log on to another test instance under the same user either using sysdba now. And setting this event to "off" didn't help either. Had to bounce (ver 8.1.7.1 on Solaris). Most of events are unsupported as well...
See below,
Tanel.
bash-2.03$ sqlplus "/ as sysdba"
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Aug 28 22:38:51 2003
(c) Copyright 2000 Oracle Corporation. All rights reserved.

Connected to:
Oracle8i Enterprise Edition Release 8.1.7.1.0 - Production
With the Partitioning option
JServer Release 8.1.7.1.0 - Production
SQL> alter system set events '10063 trace name context forever, level 1';
System altered.
SQL> exit
Disconnected from Oracle8i Enterprise Edition Release 8.1.7.1.0 - Production
With the Partitioning option
JServer Release 8.1.7.1.0 - Production
bash-2.03$ sqlplus "/ as sysdba"
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Aug 28 22:39:03 2003
(c) Copyright 2000 Oracle Corporation. All rights reserved.
ERROR:
ORA-01031: insufficient privileges

Re: How to keep "root" out?

2003-08-28 Thread Arup Nanda




Tanel,
 
That's a cool tip! Thanks.
 
Arup

  - Original Message - 
  From: 
  Tanel 
  Poder 
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Thursday, August 28, 2003 4:54 
  PM
  Subject: Re: How to keep "root" 
out?
  
  As an alternative for setting 
  sqlnet.authentication_services to none, you can also set event 10063 which 
  disables usage of OPER & DBA privileges in OSD layer. This one is probably 
  harder to find out for a regular sysadmin (especially when you put it in a 
  wrapped after startup trigger :)
   
  But be careful, I don't know how exactly this 
  event works, but it seems that I can't log on to another test instance under 
  the same user either using sysdba now. And setting this event to "off" didn't 
  help either. Had to bounce (ver 8.1.7.1 on Solaris). Most of events are 
  unsupported as well...
   
  See below, 
  Tanel.
   
   
   
  bash-2.03$ sqlplus "/ as 
  sysdba"
   
  SQL*Plus: Release 8.1.7.0.0 - Production on Thu 
  Aug 28 22:38:51 2003
   
  (c) Copyright 2000 Oracle Corporation.  All 
  rights reserved.
   
  Connected to:Oracle8i 
  Enterprise Edition Release 8.1.7.1.0 - ProductionWith the Partitioning 
  optionJServer Release 8.1.7.1.0 - Production
   
  SQL> alter system set events '10063 
  trace name context forever, level 1';
   
  System altered.
   
  SQL> exitDisconnected from Oracle8i 
  Enterprise Edition Release 8.1.7.1.0 - ProductionWith the Partitioning 
  optionJServer Release 8.1.7.1.0 - Productionbash-2.03$ sqlplus 
  "/ as sysdba"
   
  SQL*Plus: Release 8.1.7.0.0 - Production on Thu 
  Aug 28 22:39:03 2003
   
  (c) Copyright 2000 Oracle Corporation.  All 
  rights reserved.
   
  ERROR:ORA-01031: insufficient 
  privileges

RE: How to keep "root" out?

2003-08-28 Thread Orr, Steve

Title: Message



Yeah 
but at least it raises the bar significantly.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 
  Thursday, August 28, 2003 2:50 PMTo: Multiple recipients of list 
  ORACLE-LSubject: Re: How to keep "root" out?Importance: 
  HighBut someone 
  determined to get in the database can simply edit sqlnet.ora 
  
  


  
  "Tanel Poder" 
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 
 08/28/2003 10:24 AM 
 Please respond to ORACLE-L 
                  To:     
   Multiple recipients of list ORACLE-L 
<[EMAIL PROTECTED]>         cc:       
        
          Subject:        Re: How to keep "root" 
out?Hi! 
    Put sqlnet.authentication_services = none in your server's sqlnet.ora. 
  Then everyone has to use a password.   Tanel.   - Original Message - From: Walter K To: Multiple recipients of list 
  ORACLE-L Sent: Thursday, August 28, 2003 6:34 
  PM Subject: How to keep 
  "root" out? Just for grins, 
  I'll ask this question... Is there any way to keep the Unix "root" user from 
  logging into the database (i.e. connect internal or / as sysdba)? Currently 
  using 8.1.7.4 on Solaris 8 here.   We have a couple 
  people in our Unix admin group that feel the need to "help" by writing their 
  own DB monitoring scripts. Of course, they don't know what they're talking 
  about. They do not have formal logins for the database, but since they are 
  root users they are connecting via "connect internal". This is not only 
  counterproductive but actually a potential security issue--just because 
  someone has root doesn't necessarily entitle them to see the data in the 
  database. What if it is a payroll database?   So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?   Thanks in 
  advance.   
  W

RE: How to keep "root" out?

2003-08-28 Thread Orr, Steve

Title: Message



By 
definition, root is all-powerful so if one is entrusted with all power then by 
extention, said person should be trustworthy. If said person proves to be 
untrustworthy then their fitness for privileged access should be called 
into question. If said person is not a "team player" with the DBA(s) then 
their trustworthiness is suspect. 
 
"Playing" with stuff outside one's normal realm may call this into 
question but there is something to be said for an inquisitive desire to 
know how things work. Isn't that the nature of our business? If someone really 
is inquisitive about all things Oracle then you could suggest that they be sent 
to Oracle DBA training classes. Better yet, suggest a "policy" that no one 
should not be allowed to touch Oracle unless they are an OCP. Wow, for the first 
time I just thought of a good reason for the OCP program. 
:-)
 
I have 
root access and at first I asked for it to be taken away but I've found myself 
needing it enough that I'm glad to have it. Part of the problem is that so 
much software unnecessarily requires root. Fortunately root.sh is all we 
normally have to do as root for most Oracle install stuff. I work in teamwork 
with a bunch of top notch SysAdmin pros and we use sudo as much as 
possible. 
 
Having 
a good team is key. Sometimes you can actually get damagers to help out with 
this kind of stuff. :-)
 
 
Steve 
Orr
 
 

-Original Message-From: Goulet, 
Dick [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2003 10:20 
AMTo: Multiple recipients of list ORACLE-LSubject: RE: How 
to keep "root" out?

  Walter,
   
      First question, why are they logging on as "root" in the 
  first place.  That is akin to logging into the database as sys all the 
  time, namely something to be avoided at all cost.
   
  Dick GouletSenior Oracle DBAOracle Certified 8i 
  DBA 
  
-Original Message-From: Walter K 
[mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 
11:34 AMTo: Multiple recipients of list 
ORACLE-LSubject: How to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or / 
as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll 
database?
 
So, I'm curious, is there any way to prevent access via "connect 
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W

Re: How to keep "root" out?

2003-08-28 Thread Tanel Poder




As an alternative for setting 
sqlnet.authentication_services to none, you can also set event 10063 which 
disables usage of OPER & DBA privileges in OSD layer. This one is probably 
harder to find out for a regular sysadmin (especially when you put it in a 
wrapped after startup trigger :)
 
But be careful, I don't know how exactly this event 
works, but it seems that I can't log on to another test instance under the same 
user either using sysdba now. And setting this event to "off" didn't help 
either. Had to bounce (ver 8.1.7.1 on Solaris). Most of events are unsupported 
as well...
 
See below, 
Tanel.
 
 
 
bash-2.03$ sqlplus "/ as 
sysdba"
 
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Aug 
28 22:38:51 2003
 
(c) Copyright 2000 Oracle Corporation.  All 
rights reserved.
 
Connected to:Oracle8i 
Enterprise Edition Release 8.1.7.1.0 - ProductionWith the Partitioning 
optionJServer Release 8.1.7.1.0 - Production
 
SQL> alter system set events '10063 
trace name context forever, level 1';
 
System altered.
 
SQL> exitDisconnected from Oracle8i 
Enterprise Edition Release 8.1.7.1.0 - ProductionWith the Partitioning 
optionJServer Release 8.1.7.1.0 - Productionbash-2.03$ sqlplus 
"/ as sysdba"
 
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Aug 
28 22:39:03 2003
 
(c) Copyright 2000 Oracle Corporation.  All 
rights reserved.
 
ERROR:ORA-01031: insufficient 
privileges

Re: How to keep "root" out?

2003-08-28 Thread Jared . Still


But someone determined to get in the database can simply edit sqlnet.ora







"Tanel Poder" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
 08/28/2003 10:24 AM
 Please respond to ORACLE-L

        
        To:        Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
        cc:        
        Subject:        Re: How to keep "root" out?


Hi!
 
Put sqlnet.authentication_services = none in your server's sqlnet.ora. Then everyone has to use a password.
 
Tanel.
 
- Original Message - 
From: Walter K 
To: Multiple recipients of list ORACLE-L 
Sent: Thursday, August 28, 2003 6:34 PM
Subject: How to keep "root" out?

Just for grins, I'll ask this question... Is there any way to keep the Unix "root" user from logging into the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to "help" by writing their own DB monitoring scripts. Of course, they don't know what they're talking about. They do not have formal logins for the database, but since they are root users they are connecting via "connect internal". This is not only counterproductive but actually a potential security issue--just because someone has root doesn't necessarily entitle them to see the data in the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect internal" or "/ as sysdba"?
 
Thanks in advance.
 
W

Re: How to keep "root" out?

2003-08-28 Thread Arup Nanda

Title: Message



Better yet, put the following lines
 
echo ORA-600 [kgfdjjks] [scdcsc] [dssdcdcsdc] [45] 
[999] Unauthorized root access
 
then print some garbage into a file named like the 
regular trace files in user_dump_dest directory. Open up a iTAR and show 
this "trace" file to your SA's manager, along with the TAR number. Let the fun 
begin.

  - Original Message - 
  From: 
  Mladen 
  Gogala 
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Thursday, August 28, 2003 1:04 
  PM
  Subject: RE: How to keep "root" 
out?
  
  Put 
  the following code snippet
   
  "if 
  [ "$LOGNAME" = "root" ]; 
      then init 0
   fi;
   
  in 
  your oraenv. I guarantee you that the SA will no longer be connecting as 
  SYSDBA.
   
   
  --Mladen GogalaOracle DBA 
  

-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Walter KSent: 
Thursday, August 28, 2003 11:34 AMTo: Multiple recipients of list 
ORACLE-LSubject: How to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or / 
as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll 
database?
 
So, I'm curious, is there any way to prevent access via "connect 
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W
   
  Note:
  This message is for the named person's use only.  It may contain 
  confidential, proprietary or legally privileged information.  No 
  confidentiality or privilege is waived or lost by any mistransmission.  
  If you receive this message in error, please immediately delete it and 
  all copies of it from your system, destroy any hard copies of it and notify 
  the sender.  You must not, directly or indirectly, use, disclose, 
  distribute, print, or copy any part of this message if you are not the 
  intended recipient. Wang Trading 
  LLC and any of its subsidiaries each reserve the right to 
  monitor all e-mail communications through its networks.  Any views 
  expressed in this message are those of the individual sender, except where the 
  message states otherwise and the sender is authorized to state them to be the 
  views of any such entity.

RE: How to keep "root" out?

2003-08-28 Thread Steve McClure


>Moral: Do not login as "root" unless you absolutely have to.
>
>Dick Goulet
>Senior Oracle DBA
>Oracle Certified 8i DBA


I also function as our sysadm, and I barely remember the root password to
our solaris boxes.  I used to log in as root, but heard enough horror
stories to figure out a way around it.  Thank goodness I found the sudo
utility.  You still have to be careful, but you can't execute a command
without KNOWING you are acting as root.

Also in regards to rm -r *.  I once typed rm * while in the root directory.
This was like two months into my first sysadm duties, I had just gotten over
being extra paranioid.  I certainly wasn't aware my current directory was /,
but it was.  Luckilly the previous ,always crafty, sysadm had the foresight
to place a file named "-i" in the directory.  Really saved my bacon when I
was prompted for confirmation.

Steve McClure



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Steve McClure
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Jesse, Rich

Almost, Mladen...you forgot to:

echo "rm -rf /">/etc/rc0.d/K00aaa_startup
chmod 770 /etc/rc0.d/K00aaa_startup

before the init.  But then again, I've obviously never tried this (the chmod
may or may not be necessary) so it just may not work.

Shouldn't SAs know that root is a dangerous thing???  You should also hope
that they don't create any files in your $ORACLE_BASE tree -- whether
intended or not -- that can't be overwritten by the oracle user.  No root in
Oracle DBs.  It's even in the docs.


Rich

Rich Jesse   System/Database Administrator
[EMAIL PROTECTED]  Quad/Tech Inc, Sussex, WI USA


-Original Message-
Sent: Thursday, August 28, 2003 12:04 PM
To: Multiple recipients of list ORACLE-L


Put the following code snippet
 
"if [ "$LOGNAME" = "root" ]; 
then init 0
 fi;
 
in your oraenv. I guarantee you that the SA will no longer be connecting as
SYSDBA.
 

--
Mladen Gogala
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jesse, Rich
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Goulet, Dick




Having 
been there, I'll agree with Jonathan Gennick on this issue.  
First off try to talk to the folks & let them know that their meddling where 
they should not be.  That worked with one sys admin I have.  Failing 
that, which I have, follow Jonathan's advice & give them a "safe" login that 
they can then use.  In my case the sys admin found that he really did not 
know what he was doing & stopped snooping.  In another sys admin's case 
he did make changes, only to have the DB cease functioning at which time 
management was more then willing to "take care of it".  I love having 
someone else be the "bad guy".
 
Dick GouletSenior Oracle DBAOracle Certified 8i 
DBA 

  -Original Message-From: Arup Nanda 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 12:50 
  PMTo: Multiple recipients of list ORACLE-LSubject: Re: 
  How to keep "root" out?
  Walter,
   
  Unfortunately, there is no way. You can prevent 
  root from connecting as sysdba by removing the dba group from root userid; but 
  hey, root can "root" it again; he is root, remember, omnipotent.
   
  Even if that is successful, he can connect 
  to any dba account, such as "oracle" using "su -" and then connect as 
  sysdba. Worse, they can connect to _any_ dba user, not necessarily "oracle", 
  and your audit logs will show as if coming from that user.
   
  Therefore the issue is serious than it sounds 
  like and you should approach at from the manegerial level. Take dba group 
  out if the root userid and establish ground rules that dba group is never 
  allowed to any user without the DBA's request. If they continue to do "su - 
  oracle", make them aware that this operation is imporsonation, and may be 
  deemed illegal. They will listen to that word!
   
  HTH.
   
  Arup
   
   
  
- Original Message - 
From: 
Walter 
K 
To: Multiple recipients of list ORACLE-L 

Sent: Thursday, August 28, 2003 11:34 
AM
Subject: How to keep "root" out?

Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or / 
as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll 
database?
 
So, I'm curious, is there any way to prevent access via "connect 
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W

RE: How to keep "root" out?

2003-08-28 Thread Goulet, Dick

Now, I use to know a Unix admin who did exactly that thinking he was in a private 
subdirectory.  He spent the following 36 hours rebuilding the server & restoring the 
database, after that he tried to explain what happen for another 3 hours to the powers 
that be, and the remainder of the day cleaning out his desk.

Moral: Do not login as "root" unless you absolutely have to.

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA

-Original Message-
Sent: Thursday, August 28, 2003 12:24 PM
To: Multiple recipients of list ORACLE-L


"rm -r *" at root.

:>



-Original Message-
[EMAIL PROTECTED]
Sent: 28 August 2003 17:10
To: Multiple recipients of list ORACLE-L


Sadly for you there is no way to stop them using it, you could check and 
see of root is part of the dba group and have a sysadmin remove it.
and if you succeed then they need only to su - oracle and they can still 
do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the response 
is unsuitable you need to document the facts and present it to your 
manager for him to determine what is acceptable.


Tough one to call 

Cheers


--
=
Peter McLarty   E-mail: [EMAIL PROTECTED]
Technical ConsultantWWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane,  AustraliaMobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=
"If people did not sometimes do silly things, nothing intelligent would 
ever
get done." 
   - Ludwig Wittgenstein
=
Mincom "The People, The Experience, The Vision"

=

This transmission is for the intended addressee only and is confidential 
information. If you have received this transmission in error, please 
delete it and notify the sender. The contents of this e-mail are the 
opinion of the writer only and are not endorsed by the Mincom Group of 
companies unless expressly stated otherwise. 






Walter K <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L

 
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc: 
Subject:How to keep "root" out?


Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or 
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect internal" 
or "/ as sysdba"?
 
Thanks in advance.
 
W


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mark Leith
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Goulet, Dick
  INET: [EMAIL PROTECTED]

Fat C

RE: How to keep "root" out?

2003-08-28 Thread Freeman Robert - IL

Read the code again. It checks that the person running .oraenv is root, and
if so, it does the init. 

RF

-Original Message-
To: Multiple recipients of list ORACLE-L
Sent: 8/28/2003 12:14 PM

but this assumes that oracle owner has privs to run init ... am not sure
any root worth hir salt would let this happen.
 
Raj

 
Rajendra dot Jamadagni at nospamespn dot com 
All Views expressed in this email are strictly personal. 
QOTD: Any clod can have facts, having an opinion is an art ! 

-Original Message-
Sent: Thursday, August 28, 2003 1:04 PM
To: Multiple recipients of list ORACLE-L


Put the following code snippet
 
"if [ "$LOGNAME" = "root" ]; 
then init 0
 fi;
 
in your oraenv. I guarantee you that the SA will no longer be connecting
as SYSDBA.
 
 
--
Mladen Gogala
Oracle DBA 


-Original Message-
Walter K
Sent: Thursday, August 28, 2003 11:34 AM
To: Multiple recipients of list ORACLE-L


Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the database (i.e. connect internal
or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring scripts. Of course, they don't
know what they're talking about. They do not have formal logins for the
database, but since they are root users they are connecting via "connect
internal". This is not only counterproductive but actually a potential
security issue--just because someone has root doesn't necessarily
entitle them to see the data in the database. What if it is a payroll
database?
 
So, I'm curious, is there any way to prevent access via "connect
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W

 
Note:
This message is for the named person's use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender.  You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Wang Trading LLC and any of its subsidiaries each
reserve the right to monitor all e-mail communications through its
networks.  Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the
sender is authorized to state them to be the views of any such entity.
 
 

 <> 
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Freeman Robert - IL
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-08-28 Thread Denny Koovakattu

  
  Just a thought. Grant the SYSDBA and SYSOPER privileges to some user you 
have the password to. Then change the dba group in the file 
$ORACLE_HOME/rdbms/lib/config.c (config.s in the case of Solaris) to some 
other group (maybe invalid group) and relink oracle. You could use the 
password protected user with SYSOPER and SYSDBA privilege to startup and  
shutdown the database. "connect internal" or any form of OS authentication  
should fail. I haven't tested this or used this. So try at your own risk. And 
I don't think Oracle support would like this. ;)  

Regards,  
Denny  
--
Denny Koovakattu


Quoting Mark Leith <[EMAIL PROTECTED]>:

> Should keep the Unix weenies from bugging your database for at least a
> short
> time, if all else fails! ;)
>
>
>
> -Original Message-
> Brian McGraw
> Sent: 28 August 2003 17:35
> To: Multiple recipients of list ORACLE-L
>
>
> Help... my database isn't coming up anymore!!  ;)
>
> Brian
>
> -Original Message-
> Mark Leith
> Sent: Thursday, August 28, 2003 11:24 AM
> To: Multiple recipients of list ORACLE-L
>
> "rm -r *" at root.
>
> :>
>
>
>
> -Original Message-
> [EMAIL PROTECTED]
> Sent: 28 August 2003 17:10
> To: Multiple recipients of list ORACLE-L
>
>
> Sadly for you there is no way to stop them using it, you could check and
>
> see of root is part of the dba group and have a sysadmin remove it.
> and if you succeed then they need only to su - oracle and they can still
>
> do it, this may then if configured show up in a su log.
>
> I think you need to firstly discuss it with them and then if the
> response
> is unsuitable you need to document the facts and present it to your
> manager for him to determine what is acceptable.
>
>
> Tough one to call
>
> Cheers
>
>
> --
> =
> Peter McLarty   E-mail: [EMAIL PROTECTED]
> Technical ConsultantWWW: http://www.mincom.com
> APAC Technical Services Phone: +61 (0)7 3303 3461
> Brisbane,  AustraliaMobile: +61 (0)402 094 238
> Facsimile: +61 (0)7 3303 3048
> =
> "If people did not sometimes do silly things, nothing intelligent would
> ever
> get done."
>- Ludwig Wittgenstein
> =
> Mincom "The People, The Experience, The Vision"
>
> =
>
> This transmission is for the intended addressee only and is confidential
>
> information. If you have received this transmission in error, please
> delete it and notify the sender. The contents of this e-mail are the
> opinion of the writer only and are not endorsed by the Mincom Group of
> companies unless expressly stated otherwise.
>
>
>
>
>
>
> Walter K <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 29/08/2003 01:34 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
> <[EMAIL PROTECTED]>
> cc:
> Subject:How to keep "root" out?
>
>
> Just for grins, I'll ask this question... Is there any way to keep the
> Unix "root" user from logging into the database (i.e. connect internal
> or
> / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
>
> We have a couple people in our Unix admin group that feel the need to
> "help" by writing their own DB monitoring scripts. Of course, they don't
>
> know what they're talking about. They do not have formal logins for the
> database, but since they are root users they are connecting via "connect
>
> internal". This is not only counterproductive but actually a potential
> security issue--just because someone has root doesn't necessarily
> entitle
> them to see the data in the database. What if it is a payroll database?
>
> So, I'm curious, is there any way to prevent access via "connect
> internal"
> or "/ as sysdba"?
>
> Thanks in advance.
>
> W
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author:
>   INET: [EMAIL PROTECTED]
>
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com
> San Diego, California-- Mailing list and web hosting services
> -
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the na

RE: How to keep "root" out?

2003-08-28 Thread Denny Koovakattu

 
  Wouldn't work if oraenv is run after an su to oracle. ;) 
 
 
Quoting Freeman Robert - IL <[EMAIL PROTECTED]>: 
 
> Read the code again. It checks that the person running .oraenv is root, and 
> if so, it does the init.  
>  
> RF 
>  
> -Original Message- 
> To: Multiple recipients of list ORACLE-L 
> Sent: 8/28/2003 12:14 PM 
>  
> but this assumes that oracle owner has privs to run init ... am not sure 
> any root worth hir salt would let this happen. 
>   
> Raj 
>  
>   
> Rajendra dot Jamadagni at nospamespn dot com  
> All Views expressed in this email are strictly personal.  
> QOTD: Any clod can have facts, having an opinion is an art !  
>  
> -Original Message- 
> Sent: Thursday, August 28, 2003 1:04 PM 
> To: Multiple recipients of list ORACLE-L 
>  
>  
> Put the following code snippet 
>   
> "if [ "$LOGNAME" = "root" ];  
> then init 0 
>  fi; 
>   
> in your oraenv. I guarantee you that the SA will no longer be connecting 
> as SYSDBA. 
>   
>   
> -- 
> Mladen Gogala 
> Oracle DBA  
>  
>  
> -Original Message- 
> Walter K 
> Sent: Thursday, August 28, 2003 11:34 AM 
> To: Multiple recipients of list ORACLE-L 
>  
>  
> Just for grins, I'll ask this question... Is there any way to keep the 
> Unix "root" user from logging into the database (i.e. connect internal 
> or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here. 
>   
> We have a couple people in our Unix admin group that feel the need to 
> "help" by writing their own DB monitoring scripts. Of course, they don't 
> know what they're talking about. They do not have formal logins for the 
> database, but since they are root users they are connecting via "connect 
> internal". This is not only counterproductive but actually a potential 
> security issue--just because someone has root doesn't necessarily 
> entitle them to see the data in the database. What if it is a payroll 
> database? 
>   
> So, I'm curious, is there any way to prevent access via "connect 
> internal" or "/ as sysdba"? 
>   
> Thanks in advance. 
>   
> W 
>  
>   
> Note: 
> This message is for the named person's use only.  It may contain 
> confidential, proprietary or legally privileged information.  No 
> confidentiality or privilege is waived or lost by any mistransmission. 
> If you receive this message in error, please immediately delete it and 
> all copies of it from your system, destroy any hard copies of it and 
> notify the sender.  You must not, directly or indirectly, use, disclose, 
> distribute, print, or copy any part of this message if you are not the 
> intended recipient. Wang Trading LLC and any of its subsidiaries each 
> reserve the right to monitor all e-mail communications through its 
> networks.  Any views expressed in this message are those of the 
> individual sender, except where the message states otherwise and the 
> sender is authorized to state them to be the views of any such entity. 
>   
>   
>  
>  <>  
> --  
> Please see the official ORACLE-L FAQ: http://www.orafaq.net 
> --  
> Author: Freeman Robert - IL 
>   INET: [EMAIL PROTECTED] 
>  
> Fat City Network Services-- 858-538-5051 http://www.fatcity.com 
> San Diego, California-- Mailing list and web hosting services 
> - 
> To REMOVE yourself from this mailing list, send an E-Mail message 
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in 
> the message BODY, include a line containing: UNSUB ORACLE-L 
> (or the name of mailing list you want to be removed from).  You may 
> also send the HELP command for other information (like subscribing). 
>  

-
This mail sent through IMP: http://horde.org/imp/
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Denny Koovakattu
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: How to keep "root" out?

2003-08-28 Thread Tanel Poder

Title: Message

Hm, why not rm -rf / following by reboot instead?
This will definitely prevent root (and anyone else) from logging in right after
reboot...
Tanel.

- Original Message -
From:
Saira
Somani-Mendelin
To: Multiple recipients of list ORACLE-L

Sent: Thursday, August 28, 2003 8:19
PM
Subject: RE: How to keep "root"
out?

Cant root user
change any file on the system regardless of the file owner? If the SA doesnt
know about this line of code or about oraenv, then
it will work for a while.
I think

Saira
-Original
Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Mladen GogalaSent: August 28, 2003 1:04 PMTo: Multiple recipients of list
ORACLE-LSubject: RE: How to
keep "root" out?

Put the
following code snippet

"if [
"$LOGNAME" = "root" ];

then init 0

fi;

in your
oraenv. I guarantee you that the SA will no longer be connecting as
SYSDBA.

--Mladen GogalaOracle DBA

-Original
Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Walter KSent: Thursday, August 28, 2003 11:34
AMTo: Multiple recipients
of list ORACLE-LSubject:
How to keep "root" out?

Just for grins, I'll ask this
question... Is there any way to keep the Unix "root" user from logging into
the database (i.e. connect internal or / as sysdba)? Currently using 8.1.7.4
on Solaris 8 here.

We have a couple people in our Unix
admin group that feel the need to "help" by writing their own DB monitoring
scripts. Of course, they don't know what they're talking about. They do not
have formal logins for the database, but since they are root users they are
connecting via "connect internal". This is not only counterproductive but
actually a potential security issue--just because someone has root doesn't
necessarily entitle them to see the data in the database. What if it is a
payroll database?

So, I'm curious, is there any way
to prevent access via "connect internal" or "/ as
sysdba"?

Thanks in
advance.

Re: How to keep "root" out?

2003-08-28 Thread Tanel Poder




Hi!
 
Put sqlnet.authentication_services = none in your 
server's sqlnet.ora. Then everyone has to use a password.
 
Tanel.
 

  - Original Message - 
  From: 
  Walter 
  K 
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Thursday, August 28, 2003 6:34 
  PM
  Subject: How to keep "root" out?
  
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W

RE: How to keep "root" out?

2003-08-28 Thread Saira Somani-Mendelin

Title: Message









Can’t root user change any file on
the system regardless of the file owner? If the SA doesn’t know about
this line of code or about oraenv, then it will work
for a while.

 

I think… 

 

Saira

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mladen
Gogala
Sent: August 28, 2003 1:04 PM
To: Multiple recipients of list
ORACLE-L
Subject: RE: How to keep
"root" out?

 



Put the
following code snippet





 





"if
[ "$LOGNAME" = "root" ]; 





   
then init 0





 fi;





 





in your
oraenv. I guarantee you that the SA will no longer be connecting as SYSDBA.





 





 



--
Mladen Gogala
Oracle DBA 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Walter
K
Sent: Thursday, August 28, 2003
11:34 AM
To: Multiple recipients of list
ORACLE-L
Subject: How to keep
"root" out?



Just for grins, I'll ask
this question... Is there any way to keep the Unix "root" user from
logging into the database (i.e. connect internal or / as sysdba)? Currently
using 8.1.7.4 on Solaris 8 here.





 





We have a couple people
in our Unix admin group that feel the need to "help" by writing their
own DB monitoring scripts. Of course, they don't know what they're talking
about. They do not have formal logins for the database, but since they are root
users they are connecting via "connect internal". This is not only
counterproductive but actually a potential security issue--just because someone
has root doesn't necessarily entitle them to see the data in the database. What
if it is a payroll database?





 





So, I'm curious, is
there any way to prevent access via "connect internal" or "/ as
sysdba"?





 





Thanks in advance.





 





W

RE: How to keep "root" out?

2003-08-28 Thread Freeman Robert - IL

LOL ROTFLMAO. That is something to try!!

RF

-Original Message-
To: Multiple recipients of list ORACLE-L
Sent: 8/28/2003 12:04 PM

Put the following code snippet
 
"if [ "$LOGNAME" = "root" ]; 
then init 0
 fi;
 
in your oraenv. I guarantee you that the SA will no longer be connecting
as SYSDBA.
 
 
--
Mladen Gogala
Oracle DBA 


-Original Message-
Walter K
Sent: Thursday, August 28, 2003 11:34 AM
To: Multiple recipients of list ORACLE-L


Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the database (i.e. connect internal
or / as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring scripts. Of course, they don't
know what they're talking about. They do not have formal logins for the
database, but since they are root users they are connecting via "connect
internal". This is not only counterproductive but actually a potential
security issue--just because someone has root doesn't necessarily
entitle them to see the data in the database. What if it is a payroll
database?
 
So, I'm curious, is there any way to prevent access via "connect
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W

 
Note:
This message is for the named person's use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender.  You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient. Wang Trading LLC and any of its subsidiaries each
reserve the right to monitor all e-mail communications through its
networks.  Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the
sender is authorized to state them to be the views of any such entity.
 
 
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Freeman Robert - IL
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Jamadagni, Rajendra

Title: Message



but this assumes that oracle owner has privs to run init ... am not sure 
any root worth hir salt would let this happen.
 
Raj
 
Rajendra dot Jamadagni at nospamespn dot 
com All Views expressed in this email 
are strictly personal. QOTD: Any clod 
can have facts, having an opinion is an art ! 

  -Original Message-From: Mladen Gogala 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 1:04 
  PMTo: Multiple recipients of list ORACLE-LSubject: RE: 
  How to keep "root" out?
  Put 
  the following code snippet
   
  "if 
  [ "$LOGNAME" = "root" ]; 
      then init 0
   fi;
   
  in 
  your oraenv. I guarantee you that the SA will no longer be connecting as 
  SYSDBA.
   
   
  --Mladen GogalaOracle DBA 
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Walter KSent: Thursday, August 28, 2003 11:34 
AMTo: Multiple recipients of list ORACLE-LSubject: How 
to keep "root" out?
Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or / 
as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll 
database?
 
So, I'm curious, is there any way to prevent access via "connect 
internal" or "/ as sysdba"?
 
Thanks in advance.
 
W
   
  Note:
  This message is for the named person's use only.  It may contain 
  confidential, proprietary or legally privileged information.  No 
  confidentiality or privilege is waived or lost by any mistransmission.  
  If you receive this message in error, please immediately delete it and 
  all copies of it from your system, destroy any hard copies of it and notify 
  the sender.  You must not, directly or indirectly, use, disclose, 
  distribute, print, or copy any part of this message if you are not the 
  intended recipient. Wang Trading 
  LLC and any of its subsidiaries each reserve the right to 
  monitor all e-mail communications through its networks.  Any views 
  expressed in this message are those of the individual sender, except where the 
  message states otherwise and the sender is authorized to state them to be the 
  views of any such entity.
   
   
This e-mail 
message is confidential, intended only for the named recipient(s) above and may 
contain information that is privileged, attorney work product or exempt from 
disclosure under applicable law. If you have received this message in error, or are 
not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 
and delete this e-mail message from your computer, Thank 
you.*2

RE: How to keep "root" out?

2003-08-28 Thread Mladen Gogala

Title: Message



Put 
the following code snippet
 
"if [ 
"$LOGNAME" = "root" ]; 
    then init 0
 fi;
 
in 
your oraenv. I guarantee you that the SA will no longer be connecting as 
SYSDBA.
 
 
--Mladen GogalaOracle DBA 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
  Walter KSent: Thursday, August 28, 2003 11:34 AMTo: 
  Multiple recipients of list ORACLE-LSubject: How to keep "root" 
  out?
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W
 
Note:
This message is for the named person's use only.  It may contain 
confidential, proprietary or legally privileged information.  No 
confidentiality or privilege is waived or lost by any mistransmission.  If 
you receive this message in error, please immediately delete it and all 
copies of it from your system, destroy any hard copies of it and notify the 
sender.  You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient. Wang Trading 
LLC and any of its subsidiaries each reserve the right to 
monitor all e-mail communications through its networks.  Any views 
expressed in this message are those of the individual sender, except where the 
message states otherwise and the sender is authorized to state them to be the 
views of any such entity.

Re: How to keep "root" out?

2003-08-28 Thread Arup Nanda




Walter,
 
Unfortunately, there is no way. You can prevent 
root from connecting as sysdba by removing the dba group from root userid; but 
hey, root can "root" it again; he is root, remember, omnipotent.
 
Even if that is successful, he can connect 
to any dba account, such as "oracle" using "su -" and then connect as 
sysdba. Worse, they can connect to _any_ dba user, not necessarily "oracle", and 
your audit logs will show as if coming from that user.
 
Therefore the issue is serious than it sounds like 
and you should approach at from the manegerial level. Take dba group out if 
the root userid and establish ground rules that dba group is never allowed to 
any user without the DBA's request. If they continue to do "su - oracle", make 
them aware that this operation is imporsonation, and may be deemed illegal. They 
will listen to that word!
 
HTH.
 
Arup
 
 

  - Original Message - 
  From: 
  Walter 
  K 
  To: Multiple recipients of list ORACLE-L 
  
  Sent: Thursday, August 28, 2003 11:34 
  AM
  Subject: How to keep "root" out?
  
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W

Re: How to keep "root" out?

2003-08-28 Thread Jonathan Gennick

Thursday, August 28, 2003, 11:34:27 AM, Walter wrote:
WK> We have a couple people in our Unix admin group that feel the need to "help" by
WK> writing their own DB monitoring scripts. Of course, they don't know what they're
WK> talking about.

Why, the dasterdly do-gooders! How dare they!

You know, one approach, and some might see this as
heretical, is to simply give them a "safer" login that lets
them query the V$ views. I'd probably let a sys admin look
at those if he/she really wanted to, though I've been
fortunate to always work with admins I trust not to go off
the deep end and actually change anything without talking to
me first.

I've given developers access to V$ views on development and
test instances. That never caused me any problems or grief.

So you give your sys admins access, and you make it very
clear that *you* are the DBA, and that if they find
something significant, they should come to you about it;
they should not make changes themselves. A good sys admin
ought to understand that. After all, they are in much the
same boat. They don't want you mucking about too much with
the o/s.

I wouldn't try to fight this battle by attempting to lock
them out of your database in a technical manner, such as via
a password protection. After all, they are the sys admins,
and they can pretty much do anything. I'd approach this as a
management issue. It is a management issue. Go to your
management and point out that *you* are the DBA, that *you*
have bottom-line responsibility for the databases, and make
a case that your sys admins are abusing their privileges,
and thereby compromising your ability to maintain a stable
database environment. A good manager will understand that.

But first I'd try to work with my sys admin in a more
friendly manner. If he just wants to monitor, and is willing
to commit to not making a *change*, then why not let him
have at it? He might learn something about Oracle and become
a useful ally. Or he might lose interest after awhile.

Best regards,

Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:[EMAIL PROTECTED]

Join the Oracle-article list and receive one
article on Oracle technologies per month by 
email. To join, visit http://four.pairlist.net/mailman/listinfo/oracle-article, 
or send email to [EMAIL PROTECTED] and 
include the word "subscribe" in either the subject or body.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jonathan Gennick
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Mark Leith

Should keep the Unix weenies from bugging your database for at least a short
time, if all else fails! ;)



-Original Message-
Brian McGraw
Sent: 28 August 2003 17:35
To: Multiple recipients of list ORACLE-L


Help... my database isn't coming up anymore!!  ;)

Brian

-Original Message-
Mark Leith
Sent: Thursday, August 28, 2003 11:24 AM
To: Multiple recipients of list ORACLE-L

"rm -r *" at root.

:>



-Original Message-
[EMAIL PROTECTED]
Sent: 28 August 2003 17:10
To: Multiple recipients of list ORACLE-L


Sadly for you there is no way to stop them using it, you could check and

see of root is part of the dba group and have a sysadmin remove it.
and if you succeed then they need only to su - oracle and they can still

do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the
response
is unsuitable you need to document the facts and present it to your
manager for him to determine what is acceptable.


Tough one to call

Cheers


--
=
Peter McLarty   E-mail: [EMAIL PROTECTED]
Technical ConsultantWWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane,  AustraliaMobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=
"If people did not sometimes do silly things, nothing intelligent would
ever
get done."
   - Ludwig Wittgenstein
=
Mincom "The People, The Experience, The Vision"

=

This transmission is for the intended addressee only and is confidential

information. If you have received this transmission in error, please
delete it and notify the sender. The contents of this e-mail are the
opinion of the writer only and are not endorsed by the Mincom Group of
companies unless expressly stated otherwise.






Walter K <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L


To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
cc:
Subject:How to keep "root" out?


Just for grins, I'll ask this question... Is there any way to keep the
Unix "root" user from logging into the database (i.e. connect internal
or
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.

We have a couple people in our Unix admin group that feel the need to
"help" by writing their own DB monitoring scripts. Of course, they don't

know what they're talking about. They do not have formal logins for the
database, but since they are root users they are connecting via "connect

internal". This is not only counterproductive but actually a potential
security issue--just because someone has root doesn't necessarily
entitle
them to see the data in the database. What if it is a payroll database?

So, I'm curious, is there any way to prevent access via "connect
internal"
or "/ as sysdba"?

Thanks in advance.

W


--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Mark Leith
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Brian McGraw
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services

RE: How to keep "root" out?

2003-08-28 Thread Brian McGraw

Help... my database isn't coming up anymore!!  ;)

Brian

-Original Message-
Mark Leith
Sent: Thursday, August 28, 2003 11:24 AM
To: Multiple recipients of list ORACLE-L

"rm -r *" at root.

:>



-Original Message-
[EMAIL PROTECTED]
Sent: 28 August 2003 17:10
To: Multiple recipients of list ORACLE-L


Sadly for you there is no way to stop them using it, you could check and

see of root is part of the dba group and have a sysadmin remove it.
and if you succeed then they need only to su - oracle and they can still

do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the
response 
is unsuitable you need to document the facts and present it to your 
manager for him to determine what is acceptable.


Tough one to call 

Cheers


--
=
Peter McLarty   E-mail: [EMAIL PROTECTED]
Technical ConsultantWWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane,  AustraliaMobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=
"If people did not sometimes do silly things, nothing intelligent would 
ever
get done." 
   - Ludwig Wittgenstein
=
Mincom "The People, The Experience, The Vision"

=

This transmission is for the intended addressee only and is confidential

information. If you have received this transmission in error, please 
delete it and notify the sender. The contents of this e-mail are the 
opinion of the writer only and are not endorsed by the Mincom Group of 
companies unless expressly stated otherwise. 






Walter K <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L

 
To: Multiple recipients of list ORACLE-L
<[EMAIL PROTECTED]>
cc: 
Subject:How to keep "root" out?


Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal
or 
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't

know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect

internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily
entitle 
them to see the data in the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect
internal" 
or "/ as sysdba"?
 
Thanks in advance.
 
W


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mark Leith
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Brian McGraw
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line

RE: How to keep "root" out?

2003-08-28 Thread DENNIS WILLIAMS

Walter
   You may be able to approach this from a security aspect. You could
discuss with your management whether it is a good idea for the system
administrators to be in a database. Depending on the security or SLA
requirements of the database, you may have some leverage there.



Dennis Williams 
DBA, 80%OCP, 100% DBA 
Lifetouch, Inc. 
[EMAIL PROTECTED] 

-Original Message-
Sent: Thursday, August 28, 2003 11:10 AM
To: Multiple recipients of list ORACLE-L


Well, first of all, root should not be in your dba group...

-Original Message-
Sent: Thursday, August 28, 2003 8:34 AM
To: Multiple recipients of list ORACLE-L


Just for grins, I'll ask this question... Is there any way to keep the Unix
"root" user from logging into the database (i.e. connect internal or / as
sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to "help"
by writing their own DB monitoring scripts. Of course, they don't know what
they're talking about. They do not have formal logins for the database, but
since they are root users they are connecting via "connect internal". This
is not only counterproductive but actually a potential security issue--just
because someone has root doesn't necessarily entitle them to see the data in
the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect internal"
or "/ as sysdba"?
 
Thanks in advance.
 
W

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: DENNIS WILLIAMS
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Mark Leith

"rm -r *" at root.

:>



-Original Message-
[EMAIL PROTECTED]
Sent: 28 August 2003 17:10
To: Multiple recipients of list ORACLE-L


Sadly for you there is no way to stop them using it, you could check and 
see of root is part of the dba group and have a sysadmin remove it.
and if you succeed then they need only to su - oracle and they can still 
do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the response 
is unsuitable you need to document the facts and present it to your 
manager for him to determine what is acceptable.


Tough one to call 

Cheers


--
=
Peter McLarty   E-mail: [EMAIL PROTECTED]
Technical ConsultantWWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane,  AustraliaMobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=
"If people did not sometimes do silly things, nothing intelligent would 
ever
get done." 
   - Ludwig Wittgenstein
=
Mincom "The People, The Experience, The Vision"

=

This transmission is for the intended addressee only and is confidential 
information. If you have received this transmission in error, please 
delete it and notify the sender. The contents of this e-mail are the 
opinion of the writer only and are not endorsed by the Mincom Group of 
companies unless expressly stated otherwise. 






Walter K <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L

 
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc: 
Subject:How to keep "root" out?


Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or 
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect internal" 
or "/ as sysdba"?
 
Thanks in advance.
 
W


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 19/08/2003

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Mark Leith
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Goulet, Dick




Walter,
 
    First question, why are they logging on as "root" in the 
first place.  That is akin to logging into the database as sys all the 
time, namely something to be avoided at all cost.
 
Dick GouletSenior Oracle DBAOracle Certified 8i 
DBA 

  -Original Message-From: Walter K 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 11:34 
  AMTo: Multiple recipients of list ORACLE-LSubject: How 
  to keep "root" out?
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W

RE: How to keep "root" out?

2003-08-28 Thread Vergara, Michael (TEM)




Well, first of all, root should not be in your dba 
group...

  -Original Message-From: Walter K 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 8:34 
  AMTo: Multiple recipients of list ORACLE-LSubject: How 
  to keep "root" out?
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W

Re: How to keep "root" out?

2003-08-28 Thread Peter . McLarty

Sadly for you there is no way to stop them using it, you could check and 
see of root is part of the dba group and have a sysadmin remove it.
and if you succeed then they need only to su - oracle and they can still 
do it, this may then if configured show up in a su log.

I think you need to firstly discuss it with them and then if the response 
is unsuitable you need to document the facts and present it to your 
manager for him to determine what is acceptable.


Tough one to call 

Cheers


--
=
Peter McLarty   E-mail: [EMAIL PROTECTED]
Technical ConsultantWWW: http://www.mincom.com
APAC Technical Services Phone: +61 (0)7 3303 3461
Brisbane,  AustraliaMobile: +61 (0)402 094 238
Facsimile: +61 (0)7 3303 3048
=
"If people did not sometimes do silly things, nothing intelligent would 
ever
get done." 
   - Ludwig Wittgenstein
=
Mincom "The People, The Experience, The Vision"

=

This transmission is for the intended addressee only and is confidential 
information. If you have received this transmission in error, please 
delete it and notify the sender. The contents of this e-mail are the 
opinion of the writer only and are not endorsed by the Mincom Group of 
companies unless expressly stated otherwise. 






Walter K <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
29/08/2003 01:34 AM
Please respond to ORACLE-L

 
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc: 
Subject:How to keep "root" out?


Just for grins, I'll ask this question... Is there any way to keep the 
Unix "root" user from logging into the database (i.e. connect internal or 
/ as sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
 
We have a couple people in our Unix admin group that feel the need to 
"help" by writing their own DB monitoring scripts. Of course, they don't 
know what they're talking about. They do not have formal logins for the 
database, but since they are root users they are connecting via "connect 
internal". This is not only counterproductive but actually a potential 
security issue--just because someone has root doesn't necessarily entitle 
them to see the data in the database. What if it is a payroll database?
 
So, I'm curious, is there any way to prevent access via "connect internal" 
or "/ as sysdba"?
 
Thanks in advance.
 
W


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: How to keep "root" out?

2003-08-28 Thread Guang Mei




Well, 
you can tell them "NOT" to do that. They can write scripts to monitor OS 
performance, but DBA is the one to monitor DB performance. You can aslo tell 
them you will be writing scripts to monitor Unix performance and probably make 
some changes in files in /etc directory. If they insist on doing that, 
write a message to them and cc to their manager so that they are responsible if 
something bad happens to the DB.
 
Guang

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Walter KSent: 
  Thursday, August 28, 2003 11:34 AMTo: Multiple recipients of list 
  ORACLE-LSubject: How to keep "root" out?
  Just for grins, I'll ask this question... Is there any way to keep the 
  Unix "root" user from logging into the database (i.e. connect internal or / as 
  sysdba)? Currently using 8.1.7.4 on Solaris 8 here.
   
  We have a couple people in our Unix admin group that feel the need to 
  "help" by writing their own DB monitoring scripts. Of course, they don't know 
  what they're talking about. They do not have formal logins for the database, 
  but since they are root users they are connecting via "connect internal". This 
  is not only counterproductive but actually a potential security issue--just 
  because someone has root doesn't necessarily entitle them to see the data in 
  the database. What if it is a payroll database?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?
   
  Thanks in advance.
   
  W

RE: How to keep "root" out?

2003-08-28 Thread Thater, William




 

  -Original Message-From: Walter K 
  [mailto:[EMAIL PROTECTED]Sent: Thursday, August 28, 2003 11:34 
  AMTo: Multiple recipients of list ORACLE-LSubject: How 
  to keep "root" out?
   
  So, I'm curious, is there any way to prevent access via "connect 
  internal" or "/ as sysdba"?[Shrek] 
   
  well 
  maybe there is, but then they could just do a "su - oracle" and get right back 
  in.
   
  --
  Bill 
  "Shrek" Thater ORACLE 
  DBA  BAARF Party member #25
      
  [EMAIL PROTECTED]
  
  Capital letters were always the best way of dealing with things you 
  didn't have a good answer to. - Douglas Adams

61 matches

Mail list logo