From: Alexei_Roudnev (Alexei_Roudnev_at_exigengroup.com)
Date: Mon Jul 02 2007 - 21:29:02 CEST
Message-ID: <037301c7bcdf$3f2a63a0$7331a8c0@sjc.exigengroup.com> From: "Alexei_Roudnev" <Alexei_Roudnev@exigengroup.com> Date: Mon, 2 Jul 2007 12:29:02 -0700 Subject: Re: [suse-sles-e] sudo and sux (controlling users)
It's all interesting question. You can't prevent Oracle DBA group from
running some things as a root.
But they don't need sux. At least I can't understand why they can use 'sux.
All you need when dealing with Oracle installation
and oracle patching is 'run root.sh scripts as a root, and run system
services as a root.
So I'd better remove sux and su from sudoers for oracle, and keep only
- any sript in oracle home and in ~oracle
- /etc/init.d scripts.
and allow oracle use access (oinstall group) into /etc/oratab,
/etc/profile.d/oracle*, /etc/sysctl.conf and /etc/sysconfig.
Of course it is not for the system protection - running root script from
oracle user is 100% enough to get a full root access. But it is for the
control and preventing errors. You don't want Oracle users to call SA for
every system operation such as _edit /etc/oratab, verify automated oracle
startup, or running root.sh when applying patch_ (through it is not a bad
idea to have Sysadmin in DBA group). But you don't wan them to work in
'root' interactively and without the control.
So, ask them to use 'sudo' directly for their scripts, for example
sudo /etc/init.d/oracle stop
sudo ~oracle/product/10.2.0/db_1/root.sh
allow them to make
vi /etc/oratab
vi /etc/profile.d/oracle.sh
vi /etc/sysconfig/oracle
and then ou can remove su and sux from the list.
Other approach is _to make sysadmin run root scripts_ but it slow down
everything and is not realistic. In reality, you can't distinguish DBA and
sysadmin functions exactly - they are mixed, so it's always a good idea to
have DBA with sysadmin (at least basic) skills and sysadmin with DBA (at
least basic) skills. Tuning Oracle - is it DBA? But making LVM strips -
require sysadmin; changing IO elevator config is sysadmin function, changing
system parameters is sysadmin. Oracle depends of the system esp. when it is
about a performance, and vice versa.
----- Original Message -----
From: "Greg Byrd" <gbyrd@yahoo.com>
To: <suse-sles-e@suse.com>
Sent: Monday, July 02, 2007 9:28 AM
Subject: [suse-sles-e] sudo and sux (controlling users)
Everyone,
Our oracle DBAs requested sux to be added to our sudo
configuration. DBAs and sys admins in our company
have a separation of duties, so SAs are not to make
oracle changes, and DBAs are not to make O/S changes.
With this in mind, in auditing logs I'm finding that
the DBAs are applying O/S patches using sux. Is there
a way I can control their access once they use sudo to
launch sux? Or is my only option to remove their
access to sux via sudo (they do not know the root
password)?
I suspect I know the answer but I wanted to ask others
to get their input.
Thanks in advance,
Greg
____________________________________________________________________________
________
Looking for a deal? Find great prices on flights and hotels with Yahoo!
FareChase.
http://farechase.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Mon Jul 02 2007 - 23:30:32 CEST