Re: code to load tracefile into CLOB?
From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Thu, 18 Aug 2011 17:47:31 +0100
Message-ID: <4E4D4223.7090905_at_petefinnigan.com>
Hi Jeremy,
>> Hi Jeremy,
>>
>> There used to be some free PL/SQL code from Miracle - there is a link
>> here http://www.petefinnigan.com/weblog/archives/00000116.htm but its
>> broken. If anyone from Miracle is on the list perhaps they can advise
>> whether its still around or not.
>>
>> Obviously also think about the security implications of what you are
>> doing. When someone creates a trace for a specific purpose thats fine
>> but you can also dump lots of other stuff with ALTER SESSION - have a
>> look at this http://www.petefinnigan.com/weblog/archives/00001234.htm
>> for some ideas.
>>
>> cheers
>>
>> Pete
>>
>> Jeremy Schneider wrote:
>>> Just wondering... does anyone out there have a snippit of code that
>>> will load a 10046 trace file from bdump or udump into a LOB? Just
>>> looking for a quick and dirty way to give some developers access to
>>> tracefiles (without requiring unix logins). Didn't see any code samples
>>> with a quick google search, so I'm about to code it myself - just
>>> thought I'd ask first.
>>>
>>> -Jeremy
>>>
>> --
>>
>> Pete Finnigan
>> CEO and Founder
>> PeteFinnigan.com Limited
>>
>> Specialists in database security.
>>
>> Makers of PFCLScan the database security auditing tool.
>> Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL
>>
>> If you need help to audit or secure an Oracle database, please ask for
>> details of our training courses and consulting services
>>
>> Phone: +44 (0)1904 791188
>> Fax : +44 (0)1904 791188
>> Mob : +44 (0)7759 277220
>> email: pete_at_petefinnigan.com
>> site : http://www.petefinnigan.com
>>
>> Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
>> Company No : 4664901
>> VAT No. : 940668114
>>
>> Please note that this email communication is intended only for the
>> addressee and may contain confidential or privileged information. The
>> contents of this email may be circulated internally within your
>> organisation only and may not be communicated to third parties without
>> the prior written permission of PeteFinnigan.com Limited. This email is
>> not intended nor should it be taken to create any legal relations,
>> contractual or otherwise.
>>
>>
>
>
Date: Thu, 18 Aug 2011 17:47:31 +0100
Message-ID: <4E4D4223.7090905_at_petefinnigan.com>
Hi Jeremy,
Its not really the fact that they can just access bdump/udump its what they can dump to there via trace. If you have sweeping access anyway then this interface could potentially allow more.
If you create DIRECTORY objects on bdump/ udump think about permissions, dont grant READ to PUBLIC, dont use utl_file_dir as its global for all users. Maybe interface the access for them with code that only allows access to certain trace types?
cheers
Pete
Jeremy Schneider wrote:
> Hi Pete - thanks for pointing this out, something I hadn't completely > thought through yet (and your blog post covers it well). > > In this particular case, anybody with a database login already has the > ability to see all of the data. Most access control is done through a > middle-tier, and relatively few people actually have database login > credentials (mainly developers). And since they would only be able to see > files in the bdump or udump directories, they shouldn't be able to > manipulate the script to see other OS files which they shouldn't access. So > I think that in this particular case, the code wouldn't be opening up a new > security risk... but definitely something I'll keep mulling over. > > -J > > > On Thu, Aug 18, 2011 at 9:29 AM, Pete Finnigan <pete_at_petefinnigan.com>wrote: >
>> Hi Jeremy,
>>
>> There used to be some free PL/SQL code from Miracle - there is a link
>> here http://www.petefinnigan.com/weblog/archives/00000116.htm but its
>> broken. If anyone from Miracle is on the list perhaps they can advise
>> whether its still around or not.
>>
>> Obviously also think about the security implications of what you are
>> doing. When someone creates a trace for a specific purpose thats fine
>> but you can also dump lots of other stuff with ALTER SESSION - have a
>> look at this http://www.petefinnigan.com/weblog/archives/00001234.htm
>> for some ideas.
>>
>> cheers
>>
>> Pete
>>
>> Jeremy Schneider wrote:
>>> Just wondering... does anyone out there have a snippit of code that
>>> will load a 10046 trace file from bdump or udump into a LOB? Just
>>> looking for a quick and dirty way to give some developers access to
>>> tracefiles (without requiring unix logins). Didn't see any code samples
>>> with a quick google search, so I'm about to code it myself - just
>>> thought I'd ask first.
>>>
>>> -Jeremy
>>>
>> --
>>
>> Pete Finnigan
>> CEO and Founder
>> PeteFinnigan.com Limited
>>
>> Specialists in database security.
>>
>> Makers of PFCLScan the database security auditing tool.
>> Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL
>>
>> If you need help to audit or secure an Oracle database, please ask for
>> details of our training courses and consulting services
>>
>> Phone: +44 (0)1904 791188
>> Fax : +44 (0)1904 791188
>> Mob : +44 (0)7759 277220
>> email: pete_at_petefinnigan.com
>> site : http://www.petefinnigan.com
>>
>> Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
>> Company No : 4664901
>> VAT No. : 940668114
>>
>> Please note that this email communication is intended only for the
>> addressee and may contain confidential or privileged information. The
>> contents of this email may be circulated internally within your
>> organisation only and may not be communicated to third parties without
>> the prior written permission of PeteFinnigan.com Limited. This email is
>> not intended nor should it be taken to create any legal relations,
>> contractual or otherwise.
>>
>>
>
>
-- Pete Finnigan CEO and Founder PeteFinnigan.com Limited Specialists in database security. Makers of PFCLScan the database security auditing tool. Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL If you need help to audit or secure an Oracle database, please ask for details of our training courses and consulting services Phone: +44 (0)1904 791188 Fax : +44 (0)1904 791188 Mob : +44 (0)7759 277220 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom Company No : 4664901 VAT No. : 940668114 Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-lReceived on Thu Aug 18 2011 - 11:47:31 CDT