Home » RDBMS Server » Security » How to stop self password rotation ? (oracle 11gr2 linux 6.2 ( Amazon rds ) )
| How to stop self password rotation ? [message #628167] |
Thu, 20 November 2014 14:30  |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Team,
The profile setting PASSWORD_VERIFY_FUNCTION is set to NULL value, we are not using any verify function and at the same time, we would like to stop the self password rotation using alter user command.
>show user
u001
alter user u001 identified by "Password123#";
Is there any alternate way to achive this without using password verify function in the profile for the above user ?
We are using Amazon RDS Oracle instance. We don't have access to SYS and cannot edit those password verify function which is available in rds instnace.
Regards,
siva
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628173 is a reply to message #628171] |
Thu, 20 November 2014 15:14  |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
PASSWORD_REUSE_MAX - defines the number of password changes required. We have currently set PASSWORD_REUSE_MAX = UNLIMITED & PASSWORD_REUSE_TIME = UNLIMITED. We would like to reuse the same password and hence this settting. Keeping a non-zero value to eigher of this parameter and rest is set to UNLIMITED -> will force the password cannot be reused.
As per your below message, what value I can configure at this point of time. if end user trying to rotate their own password, they should get error.
Please advise.
Thank you very much
|
|
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628230 is a reply to message #628179] |
Fri, 21 November 2014 09:13 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
reusing the same password is not my actual question. Yes,we can restricting user to reuse same password.
my question is -
I need to restrict user to change their own password. In below, "u001" changing his own password. We need to restrict that. U001 should not be able to change his password. In our user management model, we have given option to change the password in our vpcx console. In the backend, below "alter user" command is getting executed by
rds master user ( in AWS, SYS is restricted and instead this master user is given to customer ). For every db user, our vpcx team maintains metadata which includes the password. At this time, if u001 connects datbase and changes his password, then new password will not be in sync with metadata. This is what we have implemnted as per our client requriement and hence would like to restrict below action
>show user
u001
alter user u001 identified by "Password123#";
Please advise is there any way to restrict ? (password verify funtion is not associated with the profile for this user "u001" because our vpcx team genrate the password randomly ) .
Thank you
kesavan
|
|
|
|
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628245 is a reply to message #628241] |
Fri, 21 November 2014 13:25 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Thank you Mike
I am checking to implement trigger. i am sure the password is not shared to any other team. Only accoutn owner can see the password and change it at any point of time and shares the new password to the user. User creation, drop, password reset & unlock - these action are done by accoutn owner ( for all users in that account ) and hence we want to restrict the password change by own. it should be done only by account owner ( in the backend, we use master user to do any action done by account owner )
Thank you very much
kesavan
|
|
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628378 is a reply to message #628246] |
Mon, 24 November 2014 10:30 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
As per client requirement, it is designed in that way. Accoutn owner maintains password roatation ( from his console ) for all users in his account.
I have further written below trigger. This triggers 100% stops all user ( other than rds master user ) from changing their own password. But since this is BEFORE type trigger and event is ALTER and ora_dict_obj_type = 'USER', this trigger gets executed and gives below error even if any user having ALTER USER permission and trying to change default tablespace using ALTER USER command. This trigger should get execute only for password change using ALTER USER command..
create or replace trigger alter_pwd_trigger
before alter
on database
declare
begin
if (ora_dict_obj_type = 'USER') and ( ora_dict_obj_name != 'RDS_MASTER_USER') then
raise_application_error(-20010,'you cannot change your own password');
end if;
end;
/
TEST01 trying to change own password, but due to trigger, it fails:
SQL> show user
USER is "TEST01"
SQL> alter user test01 identified by "Test5523#";
alter user test01 identified by "Test5523#"
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20010: you cannot change your own password
ORA-06512: at line 5
SQL> alter user u101 default tablespace schema1_tblspace;
alter user u101 default tablespace schema1_tblspace
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20010: you cannot change your own password
ORA-06512: at line 5
Thank you
kesavan
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628645 is a reply to message #628379] |
Wed, 26 November 2014 13:41 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
Thank you very much for providing link to refer.
Now I have written below trigger and this trigger does the check as expected. But I need to protect this trigger from other users.
Any DB users ( other than MASTERUSER ) shuld not be able to execute CREATE / ALTER / DROP commands against this trigger. If anyone tried, then I need to raise error to them even if the user has CREATE ANY TRIGGER, ALTER ANY TRIGGER & DROP ANY TRIGGER privileges.
create or replace trigger alter_pwd_trigger
before alter
on database
declare
begin
if ( ora_sysevent='ALTER') and (ora_dict_obj_type = 'USER') and ( ora_des_encrypted_password is not null ) then
if ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) and ( ora_dict_obj_name = 'MASTERUSER') then
raise_application_error(-20010,'you cannot change rds master user password');
elsif ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) and ( ora_dict_obj_name NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) then
raise_application_error(-20010,'you cannot change your own password or others password');
end if;
end if;
end;
/
--below trigger i have written, it is not working as expected:
create or replace trigger protect_alter_pwd_trigger
before create or atler or drop on database
declare
begin
IF (ora_login_user != 'MASTERUSER') THEN
if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
END IF;
end if;
END;
/
Thank you
kesavan
[Updated on: Wed, 26 November 2014 13:44] Report message to a moderator |
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628655 is a reply to message #628651] |
Wed, 26 November 2014 14:57 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
There is one user TEST01. DROP ANY TRIGGER is granted to this user. After creating belwo trigger, it should give error as per the trigger. since ora_login_user is TEST01, error should get raise. I created another user TEST02 and I did not grnat DROP ANY TRIGGER permisison to TEST02. h'ever when TEST02 connect and tried to drop the trigger ALTER_PWD_TRIGGER, it gives insufficient privilege error instead of the error specified in the trigger "protect_alter_pwd_trigger".
SQL> show user
USER is "TEST01"
SQL> drop trigger masteruser.alter_pwd_trigger;
Trigger dropped.
create or replace trigger protect_alter_pwd_trigger
before create or atler or drop on database
declare
begin
IF (ora_login_user != 'MASTERUSER') THEN
if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
END IF;
end if;
END;
/
Please guid me on the syntax error if any.
Thank you
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #628662 is a reply to message #628656] |
Wed, 26 November 2014 15:54 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Mike, i corrected that mistake and retried. H'ever error ( as per hte trigger ) is not raised and user who has DROP ANY TRIGGER abel to drop the trigger.
SQL> create or replace trigger protect_alter_pwd_trigger
2 before create or alter or drop on database
3 declare
4 begin
5 IF (ora_login_user != 'MASTERUSER') THEN
6 if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
7 raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
8 END IF;
9 end if;
10 END;
11 /
Trigger created.
SQL> drop trigger masteruser.alter_pwd_trigger;
Trigger dropped.
I tried to print the value of "ora_dict_obj_owner" & "ora_dict_obj_name". but it is not getting printed.
I guess these 2 values not captured. I am not sure for which ora_dict_obj_type, these 2 values can be captured.
or the reason may be as this is a database level trigger, one specific object ( trigger: ALTER_PWD_TRIGGER ) cannot be referenced in this trigger ?
SQL> set serveroutput on
SQL> declare
2 begin
3 IF (ora_login_user != 'MASTERUSER') THEN
4 if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
5 dbms_output.put_line(ora_dict_obj_owner);
6 dbms_output.put_line(ora_dict_obj_name);
7 raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
8 END IF;
9 end if;
10 END;
11 /
PL/SQL procedure successfully completed.
ora_dict_obj_name
ora_dict_obj_owner
ora_dict_obj_type.
\\\\\\\\\\\\\\\\\\\\\
JUST ADDING MY TRACE
\\\\\\\\\\\\\\\\\\\\\
creating one log table and ddl trigger as user TEST01. After creating i am performing CREATE TABLE AND ALTER TABLE and checking informations are captured in log table.
---log table
create table log
( operation varchar2(25),
owner varchar2(25),
name varchar2(25),
extra varchar2(4000) );
create or replace trigger ddl_trigger
before create or alter or drop on SCHEMA
declare
l_sysevent varchar2(25);
begin
select ora_sysevent into l_sysevent from dual;
if ( l_sysevent in ('DROP','CREATE') )
then
insert into log
select ora_sysevent, ora_dict_obj_owner,
ora_dict_obj_name, null
from dual;
commit;
end if;
end;
/
Further i wnated to create one table and check whther it is captured in the log table created above.
create table t ( x int );
alter table t add y int;
select * from log;
---trace
SQL> show user
USER is "TEST01"
SQL> create table log
2 ( operation varchar2(25),
3 owner varchar2(25),
4 name varchar2(25),
5 extra varchar2(4000) );
Table created.
SQL> create or replace trigger ddl_trigger
2 before create or alter or drop on SCHEMA
3 declare
4 l_sysevent varchar2(25);
5 begin
6 select ora_sysevent into l_sysevent from dual;
7
8 if ( l_sysevent in ('DROP','CREATE') )
9 then
10 insert into log
11 select ora_sysevent, ora_dict_obj_owner,
12 ora_dict_obj_name, null
13 from dual;
14 commit;
15 end if;
16 end;
17 /
Trigger created.
SQL> create table t ( x int );
Table created.
SQL> alter table t add y int;
Table altered.
SQL> select * from log;
no rows selected [Updated on: Wed, 26 November 2014 19:01] Report message to a moderator |
|
|
|
| Re: How to stop self password rotation ? [message #628679 is a reply to message #628662] |
Thu, 27 November 2014 00:29 |
 |
Michel Cadot
Messages: 68732
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
Quote:H'ever error ( as per hte trigger ) is not raised and user who has DROP ANY TRIGGER abel to drop the trigger.
I bet you use SYS for this test.
Other test:
SQL> create table log
2 ( operation varchar2(25),
3 owner varchar2(25),
4 name varchar2(25),
5 extra varchar2(4000) );
Table created.
SQL> create or replace trigger ddl_trigger
2 before create or alter or drop on SCHEMA
3 declare
4 l_sysevent varchar2(25);
5 begin
6 select ora_sysevent into l_sysevent from dual;
7
8 if ( l_sysevent in ('DROP','CREATE') )
9 then
10 insert into log
11 select ora_sysevent, ora_dict_obj_owner,
12 ora_dict_obj_name, null
13 from dual;
14 commit;
15 end if;
16 end;
17 /
Trigger created.
SQL> create table t ( x int );
create table t ( x int )
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-04092: cannot COMMIT in a trigger
ORA-06512: at line 12
So you don't tell all the truth.
Post the result of:
|
|
|
|
| Re: How to stop self password rotation ? [message #629467 is a reply to message #628679] |
Tue, 09 December 2014 09:49 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
Sorry for the delay. I have written below trigger which works finally. I need to raise custom error message if any user tries to recreate/alter/drop this trigger.
create or replace trigger alter_pwd_trigger
before alter
on database
declare
begin
if ( ora_sysevent='ALTER') and (ora_dict_obj_type = 'USER') and ( ora_des_encrypted_password is not null ) then
if ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM' )) and ( ora_dict_obj_name = 'MASTERUSER') then
raise_application_error(-20010,'you cannot change rds master user password');
elsif ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM' )) and ( ora_dict_obj_name NOT IN ('MASTERUSER','SYS','SYSTEM' )) then
raise_application_error(-20010,'you cannot change your own password or others password');
end if;
end if;
end;
/
But i am not able to capture this trigger name ( "alter_pwd_trigger" ) as variable ora_dict_obj_name and object type as trigger ( i.e. ora_dict_obj_type = 'TRIGGER' ).
create or replace trigger protect_alter_pwd_trigger
before create or alter or drop on database
declare
begin
IF (ora_login_user != 'MASTERUSER') THEN
if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
END IF;
end if;
END;
/
My oracle version: 11.2.0.4.3 linux 6.3. this is aws rds Oracle instance.
Thank you
kesavan
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #629476 is a reply to message #629470] |
Tue, 09 December 2014 11:02 |
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
|
Senior Member |
|
|
Hi Mike,
i was coming to say the 2nd trigger ( "protect_alter_pwd_trigger" ) is not raising the error message as written inside.
create or replace trigger protect_alter_pwd_trigger
before create or alter or drop on database
declare
begin
IF (ora_login_user != 'MASTERUSER') THEN
if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER') then
raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
END IF;
end if;
END;
/
the error message - 'You are not authorized to perform DDL on this trigger..' should get raise. but it is not getting raised.
I am passing ora_dict_obj_owner = 'MASTERUSER' & ora_dict_obj_name = 'ALTER_PWD_TRIGGER' - which is not being considered. Am I using wrong parameter or ?
Please guide me
Thank you
kesavan
|
|
|
|
|
|
|
|
| Re: How to stop self password rotation ? [message #635936 is a reply to message #635733] |
Mon, 13 April 2015 07:07 |
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
|
Senior Member |
|
|
What happens when someone modifies/drops the trigger protecting the trigger, then changes the trigger?
Are you going to have triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers? 
Methinks the whole architectures needs a bit of a rethink...
[Updated on: Mon, 13 April 2015 07:08] Report message to a moderator |
|
|
|
| Re: How to stop self password rotation ? [message #635938 is a reply to message #635733] |
Mon, 13 April 2015 07:09 |
Bill B
Messages: 1971
Registered: December 2004
|
Senior Member |
|
|
Bill B wrote on Tue, 07 April 2015 15:53Just curious, why not use the password verification function. Simply check who USER is and fail the validation if it is not the MASTER account or SYS or SYSTEM?
ONCE AGAIN, DON'T USE TRIGGERS. Use a password verification procedure. Only a dba account can alter it.
|
|
|
|
Goto Forum:
Current Time: Sat Feb 01 21:38:45 CST 2025
|
] 
Blog
Search
Help
Members
Register
Login
Home
