RE: strt<SID>.cmd security hole??

From: Rodd Holman <rodney.holman_at_lodgenet.com>
Date: Thu, 26 Jul 2001 06:09:08 -0700
Message-ID: <F001.00355E26.20010726061553@fatcity.com>

Comments have been made about going to UNIX and setting it to 700. Same idea on NT is to right click on the file and change it's properties. On the security tab, lock down the permissions so Administrator and Oracle are the only ones who can read, execute, or modify the file. Although creating an externally identified users will remove the need for the password in the file.

Rodd

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 7/26/01, 8:38:31 AM, "Farnsworth," Dave <DFarnsworth_at_Ashleyfurniture.com> wrote regarding RE: strt<SID>.cmd security hole??:

> After doing more research on this, this file is required if you want to
have
> the autostart of an oracle service to happen. Autostart does not work
> without this file present. Version 8.1.5 supposedly removed this.

> Dave

> -----Original Message-----
> Sent: Thursday, July 26, 2001 8:06 AM
> To: Multiple recipients of list ORACLE-L

> All,

> This file is gone on 816 on NT.

> Tom Mercadante
> Oracle Certified Professional

> -----Original Message-----
> Sent: Thursday, July 26, 2001 7:47 AM
> To: Multiple recipients of list ORACLE-L

> $Oracle_Home\database

> Also, I forgot to mention that I am on windoze NT.

> Dave

> -----Original Message-----
> Sent: Wednesday, July 25, 2001 4:07 PM
> To: Multiple recipients of list ORACLE-L

> Where is the strt<SID>.cmd file? I don;t see it anywhere under
> $ORACLE_HOME.

> > -----Original Message-----
> > From: Farnsworth, Dave [SMTP:DFarnsworth_at_Ashleyfurniture.com]
> > Sent: Wednesday, July 25, 2001 4:47 PM
> > To: Multiple recipients of list ORACLE-L
> > Subject: strt<SID>.cmd security hole??
> >
> > I inherited an Oracle 7.3.4 database that nobody knew the internal
> password
> > for. So I was doing some research on metalink and came across an article
> > that mentioned the strt<SID>.cmd file would have the password. I was
> amazed
> > to open up this file and see the unencrypted password for internal. I
> then
> > check my 8.0.5 database and the same thing. Then I checked my 8.1.7
> > database and it was not there. Did this gaping security hole disappear
in
> > the 8i database? I sure hope so.
> > Both the 7.3.4 and 8.0.5 have the remote_login_passwordfile init
paramater
> > set to SHARED, whereas my 8.1.7 is set to EXCLUSIVE. I don't know if
this
> > has something to do with it.
> >
> > Thanks,
> >
> > Dave
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Farnsworth, Dave
> > INET: DFarnsworth_at_Ashleyfurniture.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: blair_at_pjm.com

> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Farnsworth, Dave
> INET: DFarnsworth_at_Ashleyfurniture.com

> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Mercadante, Thomas F
> INET: NDATFM_at_labor.state.ny.us

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rodd Holman
  INET: rodney.holman_at_lodgenet.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Received on Thu Jul 26 2001 - 08:09:08 CDT