Home » RDBMS Server » Security » Accessing Oracle DB from UNIX OS
Accessing Oracle DB from UNIX OS [message #601232] Mon, 18 November 2013 15:14 Go to next message
chbrandt
Messages: 3
Registered: November 2013
Junior Member
I work on Oracle DB access testing as a part of annual audits and had a question that was outside of my knowledge area. I've always been told that you should look at access to an application, the DB that supports and, and the OS boxes that the App and DB sit on. Specifically, I've been told that if you have an account on the OS, want to do harm, and know what you're doing, that you could technically access the Oracle DB with the right tools, even if you don't have an account on the Oracle DB. Is this true? If so, how can I explain how this is possible? It seems like if you really did have access to the OS that you'd be able to somehow get into the DB, although you might be looking at fragmented data that you couldn't make sense of. I've searched on Oracle's docs and only found that they suggest locking down the OS accounts to the minimum privileges necessary for user's to do their job, but I couldn't find exactly why. Thanks in advance for your reply.
Re: Accessing Oracle DB from UNIX OS [message #601234 is a reply to message #601232] Mon, 18 November 2013 15:21 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
I if have physical access to the DB Server, then I can take over the Oracle Database.
With physical access I can obtain "root" access to the system.
While logged onto the OS as root, I can create OS account in the "dba" group.
when I am logged onto the OS & member of the "dba" group I can do as below
sqlplus / as sysdba
At this point in time I am now logged into the database as SYS user.
Re: Accessing Oracle DB from UNIX OS [message #601235 is a reply to message #601234] Mon, 18 November 2013 15:24 Go to previous messageGo to next message
chbrandt
Messages: 3
Registered: November 2013
Junior Member
That's what I figured. Can you give more detail on what someone would do with OS access to take over the Oracle DB? Not exactly HOW you do it, because I don't need to be able to do it, I just need to be able to explain the risk and how someone might go about it. Thanks again!
Re: Accessing Oracle DB from UNIX OS [message #601287 is a reply to message #601235] Tue, 19 November 2013 04:03 Go to previous messageGo to next message
cookiemonster
Messages: 13917
Registered: September 2008
Location: Rainy Manchester
Senior Member
Doesn't Blackswan's post answer your questions?
If you can log onto the server as either root or a user in the dba group then you can log onto the DB as sys.
Sys can do anything.
Re: Accessing Oracle DB from UNIX OS [message #601313 is a reply to message #601287] Tue, 19 November 2013 09:31 Go to previous messageGo to next message
chbrandt
Messages: 3
Registered: November 2013
Junior Member
That answers the question of whether or not it's possible, yes. My issue is, the OS Administrator I'm working with says no, this isn't possible the way they have their OS/DB configured and basically says 'How?' when I tell her that her OS users could access the DB. She would first say that a regular user on the OS couldn't 'obtain root access' and she would then say that 'root users cannot access/modify the Oracle DB'. While I think she's wrong, it's tough to just say no, I'm not, you are. Smile Thanks!
Re: Accessing Oracle DB from UNIX OS [message #601316 is a reply to message #601313] Tue, 19 November 2013 10:09 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
On my DB Server systems, only I (the DBA) can log onto the OS.
The OS Administrator configures the basic OS & provides me the root password.
I then changes the root password so OS Administrator can not login again.
Re: Accessing Oracle DB from UNIX OS [message #601319 is a reply to message #601313] Tue, 19 November 2013 10:30 Go to previous message
cookiemonster
Messages: 13917
Registered: September 2008
Location: Rainy Manchester
Senior Member
chbrandt wrote on Tue, 19 November 2013 15:31
She would first say that a regular user on the OS couldn't 'obtain root access'

Fair enough but what you need isn't really root, it's a user in the dba group (like the oracle user), root just gives you a way to access / create such an account. If people have access on an os account in the dba group (they shouldn't but you need to check) then root is unnecessary.
Previous Topic: security policy - vpd vs ols
Next Topic: AUDIT ALTER ANY TRIGGER
Goto Forum:
  


Current Time: Thu Mar 28 12:47:16 CDT 2024