RE: Fw: OT - Getting fired for database oops

You can also 'chattr +i filename' to make a file immutable.  Even root can't 
touch it that way.  (Unless of course, root turns off immutability.)

-Mark

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tanel Poder
Sent: Wednesday, May 27, 2009 8:28 AM
To: dbvision@xxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: RE: Fw: OT - Getting fired for database oops

Well the root ownership doesn't prevent you from renaming the original
sqlplus/admin directory to something else and cloning that directory back
using cp -rp, which would lose the root ownership bit.

If you set the whole tree as owned by root - then you can just clone your
whole directory to /tmp and run from there.

Also there are other tricks like using LD_PRELOAD env variable to redirect
some file opens to your custom files without the application knowing about
it. 

So the setting the root ownership wouldn't be a secure solution, it would be
"security by obscurity" at most.

--
Regards,
Tanel Poder
http://blog.tanelpoder.com

> > my favourite would be a preventive control, one which 
> simply does not 
> > allow oracle user to change glogin.sql just like that. A 
> drastic but 
> > effective implementation is to chown root glogin.sql and 
> make it read 
> > only by oracle user (and the world). This would be 
> acceptable because 
> > you do not update this file often, only sqlplus reads it every time
> 
> 
> Good idea, and applicable to a lot of others as well.
> Thanks!
> 
> --
> Cheers
> Nuno Souto
> in rainy Sydney, Australia
> dbvision@xxxxxxxxxxxx
> --
> http://www.freelists.org/webpage/oracle-l
> 
> 

--
http://www.freelists.org/webpage/oracle-l




--
http://www.freelists.org/webpage/oracle-l


Other related posts: