Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

stop su - oracle as root

Posted on 2011-02-22
11
675 Views
Last Modified: 2012-05-11
simple question is it possible to prompt root users to enter a password when starting Oracle

for example log in as root
su - oracle
/ as sysdba

I need to stop this as it downst require a password,,,,  Operating systems Solaris and linux
0
Comment
Question by:enigma1234567890
11 Comments
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 34951610
root can do whatever root wants.

as 'oracle', it can to whatever it wants to the database.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 34951627
There are a lot of links out there that talk about restricting root login as well as restricting database login.

Which one are you really after?
0
 

Author Comment

by:enigma1234567890
ID: 34951633
still looking for a way to stop this so that any user starting Oracle needs to enter a password.  Even if the user is root
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 34951652
If you can figure out a way, then Oracle cannot shutdown or restart properly when the server shuts down or reboots?

I really can't think of a way for stop this from happening unless you restrict direct logins as root and the oracle user.
0
 
LVL 11

Expert Comment

by:jgiordano
ID: 34951678
you could restrict remote login to root using ssh, then only allow administrators to su - root. By doing this you know who is changing to root at the time the database is started.

as already stated root is all powerful for a reason. If your System Administrator can't cooperate and not start the database without the DBA there are procedural issues also.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 34951702
Many shops secure direct root login and run probrams like sudo to restrict/track individual user commands.

This may not keep someone from starting the database but it will tell you 'who' did it.
0
 
LVL 77

Expert Comment

by:arnold
ID: 34952375
The short answer is You can not limit root.

As others pointed out using sudo to control what specific individuals can and can not do is the only way.

As long as a user can not run su - to gain root level access or sudo <Shell name> or sudo <any editor> the user would need to know the oracle user loggin or run the dbstart/dbstop scripts.

Are you the DB admin who wants to limit the rights of a systems Admin?
0
 
LVL 11

Expert Comment

by:jgiordano
ID: 34953002
I think this is what you might want to try but I am not a dba so you should research it more.

http://oracle.ittoolbox.com/groups/technical-functional/oracle-db-l/disable-connecting-sys-as-sysdba-and-sysman-557532



thanks for all your help=2E it really worked well=2E all i had to do was to remove the ORA_DBA privilege from the administrator account=2E Now no one can connect to sys without a password or sysman using the default password=2E thank you very much=2E somebody also told to use SQLNET=2EAUTHENTICATION_SERVICES =3D NONE in the sqlnet=2Eora file=2E is it required?
thanks=2E

or there are some solutions here

http://www.orafaq.com/forum/t/21698/2/
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 34953061
The information in that link is a BAD idea.  Oracle needs to shutdown the database gracefully when the server is shut down.

You follow that link and it will not shut down properly.
0
 
LVL 11

Expert Comment

by:jgiordano
ID: 34953230
slightwv - which one, I am curious.  I am not a dba so would like to know for future reference.
0
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 500 total points
ID: 34953292
Removing the oracle owner from the dba group (ORA_DBA is Windows).

Oracle connects with '/ as sysdba' which connects you as SYS (the oracle equivalent of root) to run the shutdown script in the rc folders.

Any user in the 'dba' group has this ability.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Consolidating oracle query results to a single line 8 65
Wrong number of values in the INTO list of a FETCH statement 16 89
SQL Developer 6 62
Checking for column width 8 29
Subquery in Oracle: Sub queries are one of advance queries in oracle. Types of advance queries: •      Sub Queries •      Hierarchical Queries •      Set Operators Sub queries are know as the query called from another query or another subquery. It can …
Background In several of the companies I have worked for, I noticed that corporate reporting is off loaded from the production database and done mainly on a clone database which needs to be kept up to date daily by various means, be it a logical…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question