[ale] Access Control Challenge

Dow Hurst dhurst at kennesaw.edu
Tue May 25 10:25:58 EDT 2004


Without a thorough understanding of Oracle it isn't easy to even comment. 
However, would Unix groups help you?  Isolate the DBA people as a common 
group?  How about ACLs?  Would those help you?
Dow


Thomas Wood wrote:
> Having a bit of trouble coming up with a clean solution for this problem 
> at work.  Wanted to see if anybody else had bumped into it.  I've 
> already searched google and the answers, such as they were, aren't 
> satisfactory.  So here it is.
> 
> I'm trying to enforce a little developer control by using sudo to limit 
> who can be root and oracle.  I've created groups in my sudoers file such 
> that I can become root and the DBAs can become oracle (and root for some 
> commands like mount/unmounts) but I need to prevent anybody from logging 
> in as Oracle directly.  In other words, SUDO ONLY.  The easiest way for 
> me to do this is change the oracle user password.  Has anyone else found 
> a more elegant solution?  I'd really like to keep my DBAs in the loop, 
> password-wise, but they don't need the password and I think I can 
> prevent them from changing it.
> 
> Any thoughts?  And no, tcp wrappers doesn't let you filter by username. 
>  Oh that it did.  Also, I'm trying to avoid installing a firewall on my 
> DB, so please, no filter rulesets.
> 
> enjoy,
> wood
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 

-- 
__________________________________________________________
Dow Hurst                  Office: 770-499-3428            *
Systems Support Specialist    Fax: 770-423-6744            *
1000 Chastain Rd. Bldg. 12                                 *
Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
Kennesaw State University         Dow.Hurst at mindspring.com *
Kennesaw, GA 30144                                         *
************************************************************
This message (including any attachments) contains          *
confidential information intended for a specific individual*
and purpose, and is protected by law.  If you are not the  *
intended recipient, you should delete this message and are *
hereby notified that any disclosure, copying, distribution *
of this message, or the taking of any action based on it,  *
is strictly prohibited.                                    *
************************************************************



More information about the Ale mailing list