one of the nicer little features of 9i is that those accounts come
"locked" when you build the database. The set of privileges for each
has also been greatly restricted.
- Stephane Faroult <sfaroult_at_oriole.com> wrote:
> "Deshpande, Kirti" wrote:
> >
> > We use REMOTE_OS_AUTHENT in many of our databases. I know we
> shouldn't do
> > this, but we have to, and that's another topic...
> >
> > We also use a specific auth prefix.
> >
> > Now, can someone show me how a Windoze user, 'GOD' get in the
> database when
> > I do not have a user, '<Auth_Prefix>GOD' in my database.
> >
> > I say, I have nothing to worry about this setup as long as 'GOD'
> user in my
> > database is controlled appropriately via roles, grants, profile
> etc....
> >
> > Sure, if I had <auth_prefix>GOD in the database, I will be looking
> for
> > another job....
> > Right?
> >
> > - Kirti
> >
>
> The problem as I see it is that it's fairly easy to get the names of
> users on a database. The number of databases you can connect to using
> dbsnmp/dbsnmp or outln/outln is desperately high, and from there you
> can
> query ALL_USERS. I must say that I am truly hopeless with any
> Microsoft
> OS, so you could safely let me with admin rights on the box when I
> feel
> at my most mischievous. But imagine I come with Linux on my laptop, I
> plug (like many 'nomad' users often do) into your network, manage to
> connect (as a less-than-nothing user), check the user list, spot
> something looking like a prefix, and use this information to add with
> linuxconf a suitably named account to my machine? I am certain that
> in
> your case everything is correctly fenced, but I have met many many
> many
> databases where the standard in terms of grants was 'TO PUBLIC', and
> where database links were PUBLIC as well, and usually connected to
> the
> other database as the owner of most tables (even as DBA).
> IMHO, if you really want to be secure, you must first know Oracle and
> your environment well, and also audit sensitive information.
>
> --
> Regards,
>
> Stephane Faroult
> Oriole Ltd
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Stephane Faroult
> INET: sfaroult_at_oriole.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing
> Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rachel Carmichael
INET: wisernet100_at_yahoo.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Thu Jan 31 2002 - 09:08:16 CST