Re: Restricting access via sqlplus

From: Tanel Poder <tanel.poder.003_at_mail.ee>
Date: Wed, 09 Jul 2003 14:06:11 -0700
Message-ID: <F001.005C41DD.20030709135924@fatcity.com>

Hi!
 

No, if you code your trigger to check if the program is your apps name, then renaming TOAD to TODD doesn't change anything.
But of course if you change TOAD to your apps name, then this scheme fails. But as I stated, these kinds of methods only help against dumb users.
If you want true security you have to have some kind of middle layer enforcing security and business/data rules.. (could be implemented inside database as well, through PL/SQL packages and no direct access to tables for example).
 

Cheers,
Tanel.
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

• Original Message ----- <DIV style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black">From: <A [EMAIL PROTECTED] href="mailto:[EMAIL PROTECTED]">Jamadagni, Rajendra To: <A [EMAIL PROTECTED] href="mailto:[EMAIL PROTECTED]">Multiple recipients of list ORACLE-L

  Sent: Wednesday, July 09, 2003 11:39
  PM
  Subject: RE: Restricting access via
  sqlplus   

  Tanel,
  If I change TOAD.EXE to TODD.EXE, this scheme fails instantly   ...
  Raj <FONT

  size=2>-------------------------------------------------------------------------------- 

  Rajendra dot Jamadagni at nospamespn dot com <FONT   size=2>All Views expressed in this email are strictly personal.   QOTD: Any clod can have facts, having an opinion is an art   !
  -----Original Message----- From: Tanel   Poder [<A
  href="mailto:[EMAIL PROTECTED]">mailto:[EMAIL PROTECTED]]   Sent: Wednesday, July 09, 2003 4:24 PM <FONT   size=2>To: Multiple recipients of list ORACLE-L <FONT   size=2>Subject: Re: Restricting access via sqlplus   Hi!
  I think sqlplus product profile isn't a good idea, because   some smarter ones might be using TOAD, SQL Navigator   or SQL Worksheet... What you might want to do is to   write an after logon trigger which checks the app name from <FONT   size=2>v$session and allows logon if and only if app name (v$session.program)   is your 3rd party one. If app name isn't correct, then   your trigger raises an exception. <FONT   size=2>But of course, it only protects you from dumb users.   Another way would be playing with roles, but since you have   3rd party app, it might be problematic.   Tanel.

• Original Message ----- To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Wednesday, July 09, 2003 10:29 PM > Is there a way to prevent end users from connecting directly > to the database via sqlplus without restricting access of those > same users via application code.  The application is a third party <FONT size=2>> package which prompts for an id and password and then uses that > id/password to connect to the database. > > I found a note the the archives which suggested making an entry into <FONT size=2>> the SQLPLUS_PRODUCT_PROFILE table, but I have not been able to make > this work. <FONT size=2>> > Oracle version:  8.1.7 > AIX 4.3.3 > <FONT size=2>> Thanks, > Peter Schauss > -- > Please see the official ORACLE-L FAQ: <A href="http://www.orafaq.net" target=_blank>http://www.orafaq.net > -- > Author: Schauss, Peter <FONT size=2>>   INET: [EMAIL PROTECTED] <FONT size=2>> > Fat City Network Services    -- 858-538-5051 <A href="http://www.fatcity.com" target=_blank>http://www.fatcity.com > San Diego, California        -- Mailing list and web hosting services >

  ---

  > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from).  You may > also send the HELP command for other information (like subscribing). >
  • Please see the official ORACLE-L FAQ: <A href="http://www.orafaq.net" target=_blank>http://www.orafaq.net -- Author: Tanel Poder   INET: [EMAIL PROTECTED] Fat City Network Services    -- 858-538-5051 <A href="http://www.fatcity.com" target=_blank>http://www.fatcity.com San Diego, California        -- Mailing list and web hosting services <FONT size=2>--------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from).  You may also send the HELP command for other information (like subscribing).

Received on Wed Jul 09 2003 - 16:06:11 CDT