| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: using set role command in a logon trigger -- got something implemented - now security question
That's why I said it depends on how sys_context determines the user's
environment module name. If it's simply by program name then it is
obviously very easy as I demonstrated. If it is by the application
module name then it may be more difficult but probably not
impossible. Whatever the application is doing to establish its
sys_context one can likely fake. The biggest hurdle (for a would-by
hacker) is probably to find out what it is that needs to be faked.
At 05:19 AM 4/13/2007, rjamya wrote:
>Wolfgang,
>
>true, but remember, the logon trigger will fire after you login and
>before you get your prompt back to issue the exec
>dbms_application_info command.
>
>Laura,
>
>if you are that worried, revoke dbms_application_info from public
>and grant it at the end of the trigger. Spoofing will require user
>to execute some code, which obviously cannot be done until login
>process is complete.
>
>Am I missing anything?
>rjamya
>
>On 4/12/07, Wolfgang Breitling
><<mailto:breitliw_at_centrexcc.com>breitliw_at_centrexcc.com> wrote:
>
>I am getting out on a limb here to say "most likely yes". How
>difficult it is depends to some degree on how your sys_context
>determines "the users environment module name".
Regards
Wolfgang Breitling
Centrex Consulting Corporation
www.centrexcc.com
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Apr 13 2007 - 08:34:42 CDT
 |
 |