Re: Fw: OT - Getting fired for database oops
- From: Andre van Winssen <dreveewee@xxxxxxxxx>
- To: tanel@xxxxxxxxxx
- Date: Wed, 27 May 2009 15:55:42 +0200
Hi Tanel,
the root ownership of ?/sqlplus/admin/glogin.sql prevents the oracle
database (& listener) process from writing into glogin.sql. What I want to
achieve is that no one remotely can tamper with glogin.sql through database
calls or listener manipulation, remotely. A dba logged on to the box can do
the things you mention for sure.
Regards,
Andre
2009/5/27 Tanel Poder <tanel@xxxxxxxxxx>
> Well the root ownership doesn't prevent you from renaming the original
> sqlplus/admin directory to something else and cloning that directory back
> using cp -rp, which would lose the root ownership bit.
>
> If you set the whole tree as owned by root - then you can just clone your
> whole directory to /tmp and run from there.
>
> Also there are other tricks like using LD_PRELOAD env variable to redirect
> some file opens to your custom files without the application knowing about
> it.
>
> So the setting the root ownership wouldn't be a secure solution, it would
> be
> "security by obscurity" at most.
>
> --
> Regards,
> Tanel Poder
> http://blog.tanelpoder.com
>
> > > my favourite would be a preventive control, one which
> > simply does not
> > > allow oracle user to change glogin.sql just like that. A
> > drastic but
> > > effective implementation is to chown root glogin.sql and
> > make it read
> > > only by oracle user (and the world). This would be
> > acceptable because
> > > you do not update this file often, only sqlplus reads it every time
> >
> >
> > Good idea, and applicable to a lot of others as well.
> > Thanks!
> >
> > --
> > Cheers
> > Nuno Souto
> > in rainy Sydney, Australia
> > dbvision@xxxxxxxxxxxx
> > --
> > //www.freelists.org/webpage/oracle-l
> >
> >
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
Other related posts:
