Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
shell compiler
- Thread starter vlz
- Start date
- Thread starter
- #3
- Thread starter
- #5
KenCunningham
Technical User
So you're saying your root user can't be trusted? A strange state of affairs if so!!
I want to be good, is that not enough?
I want to be good, is that not enough?
- Thread starter
- #8
In general, it is not a bad idea to hide passwords from root. I am root all the time, but why i should have knowledge of passwords of other people?. It's bad enough to see all these pop3 passwords in wireshark (the bad thing about it is that people continue to use insecure protocolls).
yai
yai
Quite simply, it is next to imposible to keep things like this from the root user, nor, if you're working on my systems would there be any reason to. If you can't trust the root users then you shouldn't be running your programs on their boxes.
Ceci n'est pas une signature
Columb Healy
KenCunningham
Technical User
As columb says - that's why sys admins are employed in the positions of trust they are.
I want to be good, is that not enough?
I want to be good, is that not enough?
just to get the terms right: do you mean root or god?
Just joking. But if you have a complex tiered environment with a OS-tier, database-tier, application-tier etc. then you should keep rights (and responsibilites) to the respective administrators. root should not be oracle user and sap* at the same time, and must not know their passwords. Exception: if you are the only admin running unix, oracle AND the app, e.g. SAP. Of course can root become oracle and then hack the sap* password (in fact there is an OSS note how to do it), but then it's by intention, and you might be sued for it. Remember: you are the admin, the data belong to somebody else.
Just joking. But if you have a complex tiered environment with a OS-tier, database-tier, application-tier etc. then you should keep rights (and responsibilites) to the respective administrators. root should not be oracle user and sap* at the same time, and must not know their passwords. Exception: if you are the only admin running unix, oracle AND the app, e.g. SAP. Of course can root become oracle and then hack the sap* password (in fact there is an OSS note how to do it), but then it's by intention, and you might be sued for it. Remember: you are the admin, the data belong to somebody else.
yai
I think I meant root (when I'm not smiting the ungodly)!
Seriously I agree, indeed I don't know the Oracle system password, and if I need something done in Oracle I go and talk to my friends over on the DBA team.
The point I was making was that the OP wants to hide passwords and doesn't trust his sysadmins enough to be able to say 'This is a file full of passwords - please help me contol access to it.' I know of several such files on the systems I look after (including one which holds the Oracle system password) and I don't go around reading them any more than I read other peoples mail files. However, if I were the sort who would do that then a)I shouldn't be a sysadmin and b)obfuscating the passwords is extremely difficult and probably wouldn't be enough to stop me.
Ceci n'est pas une signature
Columb Healy
I think I meant root (when I'm not smiting the ungodly)!
Seriously I agree, indeed I don't know the Oracle system password, and if I need something done in Oracle I go and talk to my friends over on the DBA team.
The point I was making was that the OP wants to hide passwords and doesn't trust his sysadmins enough to be able to say 'This is a file full of passwords - please help me contol access to it.' I know of several such files on the systems I look after (including one which holds the Oracle system password) and I don't go around reading them any more than I read other peoples mail files. However, if I were the sort who would do that then a)I shouldn't be a sysadmin and b)obfuscating the passwords is extremely difficult and probably wouldn't be enough to stop me.
Ceci n'est pas une signature
Columb Healy
Ok, so on a more positive note, I agree with geirendre. Personally I liaise with the users to agree to a file in /etc/security (a root only directory on AIX systems) which is read and updated using suitable sudo commands. The update needs a wrapper as vi is unsafe under sudo. The sudo commands then become
Ceci n'est pas une signature
Columb Healy
Code:
%dba myhost = /usr/bin/cat /etc/security/oracle_pwd
%dba myhost = /usr/local/bin/update_pwd_file /etc/security/oracle_pwd *Ceci n'est pas une signature
Columb Healy
>> Sounds like SOx-speak to me. Am I right?
No, it's BSI, as we are located in germany (BSI = Bundesamt für Sicherheit in der Informationstechnik, something like federal office for security in information techniology).
Seems like we found an interesting topic: 15 postings in 2 days. Wow.
Probably there is no big difference between columb and me. Of course you must trust somebody. And of course we WANT TO trust somebody. But people are not just good or bad, theres a big scale in between. And people make mistakes. And, also, it's a good thing for root to be able to say "hey, it wasnt me, i don't even know the password".
- Status
Similar threads
- Locked
- Question