Hi Tanel, the root ownership of ?/sqlplus/admin/glogin.sql prevents the oracle database (& listener) process from writing into glogin.sql. What I want to achieve is that no one remotely can tamper with glogin.sql through database calls or listener manipulation, remotely. A dba logged on to the box can do the things you mention for sure. Regards, Andre 2009/5/27 Tanel Poder <tanel@xxxxxxxxxx> > Well the root ownership doesn't prevent you from renaming the original > sqlplus/admin directory to something else and cloning that directory back > using cp -rp, which would lose the root ownership bit. > > If you set the whole tree as owned by root - then you can just clone your > whole directory to /tmp and run from there. > > Also there are other tricks like using LD_PRELOAD env variable to redirect > some file opens to your custom files without the application knowing about > it. > > So the setting the root ownership wouldn't be a secure solution, it would > be > "security by obscurity" at most. > > -- > Regards, > Tanel Poder > http://blog.tanelpoder.com > > > > my favourite would be a preventive control, one which > > simply does not > > > allow oracle user to change glogin.sql just like that. A > > drastic but > > > effective implementation is to chown root glogin.sql and > > make it read > > > only by oracle user (and the world). This would be > > acceptable because > > > you do not update this file often, only sqlplus reads it every time > > > > > > Good idea, and applicable to a lot of others as well. > > Thanks! > > > > -- > > Cheers > > Nuno Souto > > in rainy Sydney, Australia > > dbvision@xxxxxxxxxxxx > > -- > > //www.freelists.org/webpage/oracle-l > > > > > > -- > //www.freelists.org/webpage/oracle-l > > >