DBAs running root.sh

From: Austin Hackett <hacketta_57@xxxxxx>
To: oracle-l digest users <oracle-l@xxxxxxxxxxxxx>
Date: Mon, 03 Feb 2014 17:08:10 +0000

Hi List

If you work in a security conscious environment, I'd be keen to hear how your 
site handles the root.sh script.

To give you some background:

In my environment, DBAs are currently given direct root access to allow them to 
run root.sh. However, the SA Team would like to tighten this up. If giving the 
DBAs direct root access isn't acceptable (not even temporarily) then two 
options spring to my mind:

1) SA team run root.sh on behalf of the DBAs.  Geography and logistics in my 
organisation are such that having an SA walk over to the DBAs desk is a 
realistic option. Our SAs aren't keen on this approach
2) Give DBAs the ability to run root.sh as the root user via sudo. This, of 
course, means that DBAs can run anything they like by editing root.sh, so 
doesn't really help. Understandably our SAs don't like this approach

I am being asked to look into keeping Oracle software version specific root.sh 
scripts in a root-owned location (we are Linux only, so no multi-platform 
concerns). This would allow for secure sudo privileges. We'd need these for 
RDBMS, Grid Infrastructure, and Client.

However, I've explained  the scripts are dynamically generated by runInstaller 
and have the Oracle Home path hard-coded into them. We'd need a root-owned 
root.sh for every distinct ORACLE_HOME path we create (some hosts have multiple 
homes, so there's dbhome_1, dbhome_2 etc.). Maybe there are other 
considerations that I'm unaware of - I don't really like to second guess what 
else is going on in the "closed box" of the OUI that could be host dependent.

To my mind, taking this non-standard approach is  more risky than having 
someone run the script on our behalf, even if it risks introducing delays into 
the build process. 

How is this handled in your organisation? Have you ever been asked to have a 
centralised set of root.sh scripts under root control for this reason? Have you 
made it work?

If anyone has some time to share their experiences, it would be much 
appreciated.

Regards

Austin






--
//www.freelists.org/webpage/oracle-l

Follow-Ups:
- Re: DBAs running root.sh
  - From: Chris Taylor
- Re: DBAs running root.sh
  - From: David Fitzjarrell
- RE: DBAs running root.sh
  - From: Sheehan, Jeremy
- Re: DBAs running root.sh
  - From: Guillermo Alan Bort
- Re: DBAs running root.sh
  - From: Hans Forbrich
- Re: DBAs running root.sh
  - From: Norman Dunbar
- Re: DBAs running root.sh
  - From: Ram Srinivasan
- RE: DBAs running root.sh
  - From: Mark W. Farnham
- Re: DBAs running root.sh
  - From: Stojan Veselinovski
- Re: DBAs running root.sh
  - From: William Muriithi

DBAs running root.sh

Other related posts: