Re: DBAs running root.sh
- From: Austin Hackett <hacketta_57@xxxxxx>
- To: Chris Taylor <christopherdtaylor1994@xxxxxxxxx>
- Date: Mon, 03 Feb 2014 17:28:16 +0000
Hi Chris
Thanks for your response.
So, I think you are saying it's possible to configure sudo like this:
If I can only run myscript.sh as root and myscript.sh does "/bin/rm -fr /" ,
the script will fail because i don't have "/bin/rm" as root.
Have I got that right?
On 3 Feb 2014, at 17:15, Chris Taylor <christopherdtaylor1994@xxxxxxxxx> wrote:
> sudo is setup to limit what you can run - so even if you have sudo access and
> you modify the root.sh script, you can still _only_ run what you have sudo
> access to do. So, as long as your sudo setup is correct, there is nothing
> you can do in the root.sh script that can cause damage. Another way to look
> at it - if you have sudo access and there is something damaging you can do,
> you can do it without modifying the root.sh script. The dependency here is
> that sudo is setup correctly.
>
> Chris
>
>
>
> On Mon, Feb 3, 2014 at 11:08 AM, Austin Hackett <hacketta_57@xxxxxx> wrote:
> Hi List
>
> If you work in a security conscious environment, I'd be keen to hear how your
> site handles the root.sh script.
>
> To give you some background:
>
> In my environment, DBAs are currently given direct root access to allow them
> to run root.sh. However, the SA Team would like to tighten this up. If giving
> the DBAs direct root access isn't acceptable (not even temporarily) then two
> options spring to my mind:
>
> 1) SA team run root.sh on behalf of the DBAs. Geography and logistics in my
> organisation are such that having an SA walk over to the DBAs desk is a
> realistic option. Our SAs aren't keen on this approach
> 2) Give DBAs the ability to run root.sh as the root user via sudo. This, of
> course, means that DBAs can run anything they like by editing root.sh, so
> doesn't really help. Understandably our SAs don't like this approach
>
> I am being asked to look into keeping Oracle software version specific
> root.sh scripts in a root-owned location (we are Linux only, so no
> multi-platform concerns). This would allow for secure sudo privileges. We'd
> need these for RDBMS, Grid Infrastructure, and Client.
>
> However, I've explained the scripts are dynamically generated by
> runInstaller and have the Oracle Home path hard-coded into them. We'd need a
> root-owned root.sh for every distinct ORACLE_HOME path we create (some hosts
> have multiple homes, so there's dbhome_1, dbhome_2 etc.). Maybe there are
> other considerations that I'm unaware of - I don't really like to second
> guess what else is going on in the "closed box" of the OUI that could be host
> dependent.
>
> To my mind, taking this non-standard approach is more risky than having
> someone run the script on our behalf, even if it risks introducing delays
> into the build process.
>
> How is this handled in your organisation? Have you ever been asked to have a
> centralised set of root.sh scripts under root control for this reason? Have
> you made it work?
>
> If anyone has some time to share their experiences, it would be much
> appreciated.
>
> Regards
>
> Austin
>
>
>
>
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
Other related posts:
