DBAsupport.com Forums - Powered by vBulletin
Results 1 to 9 of 9

Thread: Oracle security issue

  1. #1
    Join Date
    Jan 2006
    Location
    Bangalore,IND
    Posts
    47

    Question Oracle security issue

    My new security manager came out with findings on security hole in the database server.

    We are running Oracle 9i on solaris. I have only Oracle user for starting all the Oracle processes and its under dba group. He has pointed out that the listeners and dbsnmp processes should be started as two different users but not as Oracle. Can some one explain me as how this is insecure?

    I frequently change the Oracle user password and only my database manager, team lead know them other than me. I know this makes sense and I am little confused, also How should I go ahead and do it?

    Thanks for the time!

  2. #2
    Join Date
    Jan 2001
    Posts
    2,828
    Quote Originally Posted by manasa
    My new security manager came out with findings on security hole in the database server.

    We are running Oracle 9i on solaris. I have only Oracle user for starting all the Oracle processes and its under dba group. He has pointed out that the listeners and dbsnmp processes should be started as two different users but not as Oracle. Can some one explain me as how this is insecure?

    I frequently change the Oracle user password and only my database manager, team lead know them other than me. I know this makes sense and I am little confused, also How should I go ahead and do it?

    Thanks for the time!
    I would be very very interested in knowing how this can be insecure.

    You could additionally password protect the listener with a different password then the one you use for logging into the oracle account.
    By password protecting the listener you have one more layer of security so only authorised user with a password can STOP it.However you can start the listener without the need for the password

    I dont see any issues with your setup you could ask your Audit manager to clarify how this is a security risk ?

    regards
    Hrishy

  3. #3
    The theory is that if someone can remotely exploit dbsnmp, then they would have access to the 'oracle' user -- who owns all of your data. If dbsnmp ran under a different user, they could not (for example) rm -rf /apps/oracle like they could if they were the oracle user.

  4. #4
    Join Date
    Jan 2001
    Posts
    2,828
    Hi

    Is dbsnmp a os user i thought it was a oracle account and in my place its locked.

    Besides even if its an os account i am not sure you cna execute rm -f with just dbsnmp can you ?

    regards
    Hrishy
    Last edited by hrishy; 05-30-2007 at 02:53 AM.

  5. #5
    I believe dbsnmp (and definitely the listener) run as the Oracle OS user.

  6. #6
    Join Date
    Jan 2006
    Location
    Bangalore,IND
    Posts
    47
    Oracle processes, listener and dbsnmp runs as Oracle user. How shall I run them as separate users.

    I mean can I create separate unix users and start the processes like Oracle for Oracle background processes, tnsuser for listener and Iagent for dbsnmp?

  7. #7
    Join Date
    Jan 2001
    Posts
    2,828
    Hi

    If dbsnmp runs as the oracle user so what i dont think so this is really a problem.

    regards
    Hrishy

  8. #8
    Join Date
    Nov 2006
    Location
    Sofia
    Posts
    630
    I think U can't. For the listener I even can say why.
    The listener is supposed to start a dedicated server process if u do not use shared servers. To do so, listener needs an access to the Oracle Home and needs to spawn the dedicated server process in the name of Oracle owner, so...

  9. #9
    Join Date
    Mar 2004
    Location
    DC,USA
    Posts
    650
    ..........

    That's possible. Oracle, tnsuser, Iagent can all be under one group and have the same privileges for the bin files and common profiles, that starts the processes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width