You can also 'chattr +i filename' to make a file immutable. Even root can't touch it that way. (Unless of course, root turns off immutability.) -Mark -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Tanel Poder Sent: Wednesday, May 27, 2009 8:28 AM To: dbvision@xxxxxxxxxxxx Cc: oracle-l@xxxxxxxxxxxxx Subject: RE: Fw: OT - Getting fired for database oops Well the root ownership doesn't prevent you from renaming the original sqlplus/admin directory to something else and cloning that directory back using cp -rp, which would lose the root ownership bit. If you set the whole tree as owned by root - then you can just clone your whole directory to /tmp and run from there. Also there are other tricks like using LD_PRELOAD env variable to redirect some file opens to your custom files without the application knowing about it. So the setting the root ownership wouldn't be a secure solution, it would be "security by obscurity" at most. -- Regards, Tanel Poder http://blog.tanelpoder.com > > my favourite would be a preventive control, one which > simply does not > > allow oracle user to change glogin.sql just like that. A > drastic but > > effective implementation is to chown root glogin.sql and > make it read > > only by oracle user (and the world). This would be > acceptable because > > you do not update this file often, only sqlplus reads it every time > > > Good idea, and applicable to a lot of others as well. > Thanks! > > -- > Cheers > Nuno Souto > in rainy Sydney, Australia > dbvision@xxxxxxxxxxxx > -- > //www.freelists.org/webpage/oracle-l > > -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l