RE: Privileges by session

From: D'Hooge Freek <Freek.DHooge_at_uptime.be>
Date: Wed, 13 Jan 2010 11:07:19 +0100
Message-ID: <4814386347E41145AAE79139EAA398980DC60DCF71_at_ws03-exch07.iconos.be>

Checking the name of the application is pointless as it is so easy to fool. You only need to change the name of the application:

C:\>rename c:\oracle\product\10.2.0\client_1\BIN\sqlplus.exe sqlplus2.exe

C:\>sqlplus2 sys_at_gunnar.dargo.farscape as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Wed Jan 13 11:04:51 2010

Enter password:

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production With the Partitioning and Data Mining options

INSTANCE_NAME    HOST_NAME                      STATUS
---------------- ------------------------------ ------------
GUNNAR           dargo.farscape                 OPEN

sys_at_GUNNAR> select program from v$session where sid = (select distinct sid from v$mystat);

PROGRAM

sqlplus2.exe

regards,
�
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Yechiel Adar Sent: dinsdag 12 januari 2010 18:40
To: jkstill_at_gmail.com
Cc: wblanchard_at_societyinsurance.com; oracle-l_at_freelists.org Subject: Re: Privileges by session

Sure, but:
1) How many are worth employment?�� :-)
2) Adding check on the source, that should be production servers that the developers has no access to, will help.

Adar Yechiel
Rechovot, Israel

Jared Still wrote:
On Tue, Jan 12, 2010 at 4:54 AM, Yechiel Adar <adar666_at_inter.net.il> wrote:

2) Put in a login trigger that will fail all logon with the application user but with other programs like SQLPLUS or TOAD.

Any developer worth employing can circumvent a trigger that checks executable names.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: http://jkstill.blogspot.com Home Page: http://jaredstill.com

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Jan 13 2010 - 04:07:19 CST

This message: [ Message body ]
Next message: Laimutis.Nedzinskas_at_seb.lt: "Re: Find the latest SCN # in phisical standby"
Previous message: Marcin Przepiorowski: "Re: Migrate 9i VLDB Cross Platform - Using Streams? Or ??"
In reply to: Yechiel Adar: "Re: Privileges by session"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message