Re: Oracle Installation on Windows
- From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- To: wjwagman@xxxxxxxxxxx
- Date: Wed, 11 Feb 2009 06:39:26 +0000
There are a few rights that are given to LocalSystem that are not given to
the Administrators group, for example the 'ACT AS PART OF THE OPERATING
SYSTEM' right - you can see these in the local security policy control panel
applet (though you can't see their assignment to LocalSystem.
However this should not affect the *install* so long as your domain account
is directly a member of the *local* Administrators group - as opposed to
Domain Admins (I can't now recall why that made a difference in the past and
indeed it shouldn', but it did back in the 806/815 days). The only occasion
that I'm aware of it making a difference is in the account that is used for
executing OS jobs using EM where you need 4 rights
Log on as a batch job -- self explanatory
Replace a process level token -- enables one service to start another
act as part of the operating system -- enables impersonate any user
Increase memory quota for a process -- self explanatory
I suspect that item 3, particularly given the ability to create em jobs via
pl/sql and the ability to inject pl/sql into the db is a difficult to
exploit but potentially extremely dangerous security loophole, and to be
honest is a requirement that I don't understand. Arguably right 2 is
inappropriate as well.
Anyway if you also *run* the Oracle database under a different account, as
opposed to installing it under a different account then there *may* be
similar uses of non-default rights, I've never come across them except in
the EM case though.
On Tue, Feb 10, 2009 at 5:06 PM, William Wagman <wjwagman@xxxxxxxxxxx>wrote:
> Greetings,
>
> I'm having a conversation with one of my co-workers re privileges, oracle
> and windows. I am working with Windows Server 2003, 64-bit and Oracle 10gR2.
> Our standard practice is to create an Oracle account which is a member of
> the local administrators group, essentially full administrative rights on
> the box. The Oracle installation is done while logged in as the Oracle user.
> In one situation I encountered problems and Oracle had me uninstall and then
> reinstall while connected as the local admin account. I just installed the
> January 2009 CPU on a windows box and something broke. I opened an SR with
> Oracle, we solved the problem but again the question arose as to whether the
> installation had been done as Oracle or the local admin account with the
> suggestion that it might be necessary to uninstall and reinstall while
> connected as the local admin account. I have done quite a number of
> installations as Oracle rather than the local admin account as well as
> upgrades and patching but t
> wice the question of who did the installation has arisen.
>
> My question, can someone explain why, if oracle is a member of the
> administrators group with full administrative rights on the box it would
> matter whether the installation is done as Oracle or the local admin
> account? Is there documentation available which might give me some more
> insight into this question?
>
> Thanks.
>
> Bill Wagman
> Univ. of California at Davis
> IET Campus Data Center
> wjwagman@xxxxxxxxxxx
> (530) 754-6208
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
Other related posts:
