On Thu, 2002-01-17 at 13:47:16 -0500, Jonathan A. Zdziarski wrote... ; 2. The database comes with a handfull of pre-existing "demo" accounts ; with preset passwords (e.g. SCOTT/TIGER, and a few others). True, but linuxes now come with accounts susceptible to being owned by SSHD exploits (the "!!" as passwords). ; 3. Shell commands can by default be executed by a connected sqlplus ; user, without any ; particularly special privileges. For example: ; ; SQL> !pwd ; /export/home/jonz ; ; SQL> host ; $ You're local at this point -- just as you can break out of ftp clients. ; 4. Auditing is turned off by default As it is under most UNIXes. It seems like the whole argument about this is "best practice", and in that regard, no - you shouldn't be putting databases out there UNLESS you have a clue. And if not, get owned. It's one thing to make comments on an end-user operating system such as certain Microsoft products (if not all), but Oracle is intended to be run in production, on wonderful hardware, with lots of money paid. Surely you wouldn't hire some junior administrator to install and configure it. And if so, you get what you pay for. -#0
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 16:01:08 PST