[ale] Access Control Challenge
Thomas Wood
thomaswood at mac.com
Sun May 23 01:20:04 EDT 2004
Having a bit of trouble coming up with a clean solution for this
problem at work. Wanted to see if anybody else had bumped into it.
I've already searched google and the answers, such as they were, aren't
satisfactory. So here it is.
I'm trying to enforce a little developer control by using sudo to limit
who can be root and oracle. I've created groups in my sudoers file
such that I can become root and the DBAs can become oracle (and root
for some commands like mount/unmounts) but I need to prevent anybody
from logging in as Oracle directly. In other words, SUDO ONLY. The
easiest way for me to do this is change the oracle user password. Has
anyone else found a more elegant solution? I'd really like to keep my
DBAs in the loop, password-wise, but they don't need the password and I
think I can prevent them from changing it.
Any thoughts? And no, tcp wrappers doesn't let you filter by username.
Oh that it did. Also, I'm trying to avoid installing a firewall on my
DB, so please, no filter rulesets.
enjoy,
wood
More information about the Ale
mailing list