Re: Fw: OT - Getting fired for database oops

Hi Tanel,

the root ownership of ?/sqlplus/admin/glogin.sql prevents the oracle
database (& listener) process from writing into glogin.sql. What I want to
achieve is that no one remotely can tamper with glogin.sql through database
calls or listener manipulation, remotely. A dba logged on to the box can do
the things you mention for sure.


Regards,
Andre

2009/5/27 Tanel Poder <tanel@xxxxxxxxxx>

> Well the root ownership doesn't prevent you from renaming the original
> sqlplus/admin directory to something else and cloning that directory back
> using cp -rp, which would lose the root ownership bit.
>
> If you set the whole tree as owned by root - then you can just clone your
> whole directory to /tmp and run from there.
>
> Also there are other tricks like using LD_PRELOAD env variable to redirect
> some file opens to your custom files without the application knowing about
> it.
>
> So the setting the root ownership wouldn't be a secure solution, it would
> be
> "security by obscurity" at most.
>
> --
> Regards,
> Tanel Poder
> http://blog.tanelpoder.com
>
>  > > my favourite would be a preventive control, one which
> > simply does not
> > > allow oracle user to change glogin.sql just like that. A
> > drastic but
> > > effective implementation is to chown root glogin.sql and
> > make it read
> > > only by oracle user (and the world). This would be
> > acceptable because
> > > you do not update this file often, only sqlplus reads it every time
> >
> >
> > Good idea, and applicable to a lot of others as well.
> > Thanks!
> >
> > --
> > Cheers
> > Nuno Souto
> > in rainy Sydney, Australia
> > dbvision@xxxxxxxxxxxx
> > --
> > http://www.freelists.org/webpage/oracle-l
> >
> >
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

Other related posts: