Database Reference
In-Depth Information
ways, but unfortunately both root and the software-owning DB account have total control over the database in nearly
every respect. The only exception is possibly that they lack control over reading data where the key is kept off the host,
such as an HSM, but even then the key can be read from memory and used to decrypt the data, or the data can be read
from the network. Databases such as Sybase attempt to enforce segregation from the SA to the DBA by not providing a
standard method of accessing the DB from the OS. This is quite a good idea from a security perspective but could lead
to false confidence because the Sybase OS account still has full control over the software, so it can simply edit data
files directly. In my view, Oracle's legitimate direct access from Unix actually enables Unix to oversee the security of
the DB, which is a positive. But what about the security of the OS?
The following example illustrates one reason for not giving Oracle DBAs the ability to sudo to root. The reason is
that one can sudo to root and create a new backdoor account or change the root password.
[oracle@orlin ~]$ sudo vi /etc/passwd
Insert this line
newuser:x:72782:4195:A New User,, v348001, , 8339105:/home/newuser:/bin/bash
[oracle@orlin ~]$ sudo chmod 777 /etc/shadow
[oracle@orlin ~]$ sudo vi /etc/shadow
[sudo] password for oracle:
root:$6$yisQqyNy$IbBz3XZ7Y86UPM3wGVcMO0QtkbUBoRwfNmIBz4VcWISDtfvNUXkTuxVMqaeD6GNn6fx77z0Xzu5sIAP17Ltnr1:
16030:0:99999:7:::
bin:*:15064:0:99999:7:::
daemon:*:15064:0:99999:7:::
snip 8< -----------------
gdm:!!:15282::::::
sshd:!!:15282::::::
tcpdump:!!:15282::::::
oracle:$6$NdvidzKV$cvT3vI6v7tdfiiBChWBMnABWZCie7pvoo5bznv8vsOW8AZ7E5D.
MVeqyBf58qzXm6QXqLzCGVqm96olX0SOH60:16070:0:99999:7:::
hsqldb:!!:15314::::::
insert this line
newuser:lySmrryhaz11g:14937::::::
[oracle@orlin ~]$ sudo passwd newuser
Changing password for user newuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
After creating a new account, the DBA can log on with the new username. It's even easier to simply change the
root password temporarily to a known value by editing the root line in /etc/shadow. For example, a rogue DBA could
temporarily change the root password to “letmein” as per the new entry in /etc/shadow below:
root:$6$vc/ngDfO$F4eazNYM3VCN0WW2QoSkgMkC/R22NQ/MaQj9DBSiqpYwRtbt98q8PEbj3i0hDbOz6eSa9T2wvdRF4.SZ4D/
Oy1:16080:0:99999:7:::
Once direct root access is gained, the user may edit the audit trail to remove the record of their actions and install
a rootkit to allow further access without the need for authorization. Note that this could be done by an attacker
or
by a
currently authorized administrator who would like to save time gaining access in the future and avoid the potential for
