| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: OPS$
I just remembered why remote_os_authent was so insecure in v7 sqlnet v2: you could become SYSTEM just by setting USER_ID=SYSTEM in Oracle.ini, but the SYSTEM user did *not* need to be identified externally.
That's what was so insecure. I've just been trying to see if any similar insecurities still exist. ( geez I love English :)
So far, no.
Jared
Jared Still <jkstill_at_cybcon.com>
Sent by: root_at_fatcity.com
01/30/02 07:45 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
cc:
Subject: Re: OPS$
Sounds about right to me.
The security part, that is. :)
Jared
On Wednesday 30 January 2002 19:25, Seefelt, Beth wrote:
> I know I'm probably one of the few NT weenies on the list so I hope I
don't
> get too much guff from the unix guys...
>
> Disabling remote_os_authent and using external authentication are not
> mutually exclusive, and its not completely devoid of security in NT.
>
> Consider this configuration
>
> remote_os_authent=false
> osauth_prefix_domain=true
>
> sqlnet.authentication_services=(nts)
>
> Now I can create externally authenticated database accounts, prefixed
with
> the domain name instead of OPS$. When they connect to the database
Oracle
> will authenticate them via Kerberos or NTLM, so their password doesn't
even
> have to be passed over the network. And they are authenticated by the
> domain, so creating a rogue server and creating a user account with the
> same name still isn't going to get you authenticated, unless you can set
> the password on the rogue machine to the same password as the domain
> account.
>
> Or am I living in a rose colored dream world?
>
> Beth
>
>
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 5:55 PM
> To: Multiple recipients of list ORACLE-L
>
>
> Well, yes, the can set their name to SYSTEM, SYS, SCOTT, whatever, and
so
> long as your authentication demands an OPS$ or basically any other non
null
> string of characters, who cares? OPS$SYSTEM is not going to wind up
being
> a DBA... now, if OPS$STILL is a DBA, and someone sets their PC to STILL,
> then you've got a problem.
>
> The long and short of it is that the OPS security is only as good as the
> box it is serving. If you're on any computer with C level security or
> higher, there is nothing wrong with using OPS$ as you are using
operating
> system level security. So, if, for example, you are using VMS, MVS,
CDC,
> Cray, or anything us old folks might have used 10 years ago, OPS$ is
> terrific. If your operating system is making Bill Gates richer, you
have
> no security to speak of.
>
> The question you want to ask yourself is how good is your front-end
> security?
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:26 PM
> To: Multiple recipients of list ORACLE-L
>
> Can you explain that? You have me scared now.
>
> -----Original Message-----
> Sent: Wednesday, January 30, 2002 4:00 PM
> To: Multiple recipients of list ORACLE-L
>
>
> They can also set their username to 'SYSTEM'.
>
> Jared
>
>
>
>
>
> Rachel Carmichael <wisernet100_at_yahoo.com>
> Sent by: root_at_fatcity.com
> 01/30/02 11:25 AM
> Please respond to ORACLE-L
>
>
> To: Multiple recipients of list ORACLE-L
<ORACLE-L_at_fatcity.com>
> cc:
> Subject: Re: OPS$
>
>
> anyone can name their pc "oracle" and then connect in if you set
> "remote_os_authent"
>
> --- "Smith, Ron L." <rlsmith_at_kmg.com> wrote:
> > Does anyone have any information on security problems using the OPS$
> > account?
> >
> > Ron
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Smith, Ron L.
> > INET: rlsmith_at_kmg.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing
> > Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
>
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: jkstill_at_cybcon.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: Jared.Still_at_radisys.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Thu Jan 31 2002 - 11:28:16 CST
 |
 |