Read-only bind mounting your ORACLE_HOME

When checking the file system Layout on my last blog post Oracle DbNest file system isolation : pivot root/ bind mount something caught my attention. So even if in oracle 20C read only oracle home is the way to go by default and DbNest is there to provide file system isolation (beside many other things) the oracle home is not mounted read only by default (DBNEST_PDB_FS_CONF not set) in the new nest mount namespace !

Which is curious because a malicious user on a compromised PDB can exploit that and impact the hole environment.

Continue reading

Oracle DbNest file system isolation : pivot root/ bind mount

In my previous blog post A first hands on Oracle 20C DbNest (Preview) i encountered some problems when trying to start the PDB nest with the default internal path (parameter DBNEST_PDB_FS_CONF not set) so i was forced to use a custom file system configuration file using the directive “DBNEST_NO_FS_ROOT_MODE” to be able to start it.

It’s time to take a look on what’s going on and what was the problem !

Continue reading

Oracle DbNest and Network isolation/Namespace

In my previous articles we have seen how oracle DbNest is taking advantage of the underling Linux namespaces features for enhancing the database security. We have taken a closer look at the user,mount and pid namespaces as they are the one used by default when enabling DbNest. But is seem that there is more (Not documented nor enabled by default) !

When taking a look at the dbnest and oracle binary it seems that that we can get better isolation by taking advantage of the Network namespace event if it’s not enabled by default (Maybe in feature release !) .

First thing first let’s get closer look at the Network Namespace !

Continue reading