Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: OEM permissions

RE: OEM permissions

From: Thomas A. La Porte <>
Date: Sat, 20 Dec 2003 18:34:25 -0800
Message-ID: <>

I believe the point is not that you can create links to SYS or SYSTEM accounts, but instead to application accounts, e.g. if I created a link from my private database to the company's HR database using a duplicated HR_MANAGER schema, I may be able to access data that I otherwise should not have.

Thomas A. La Porte, DreamWorks SKG

On Sat, 20 Dec 2003, Yong Huang wrote:

>I think you're describing a real security hole. But I'm not sure how it's
>exploited exactly. Let's say John Doe sets up his database on his desktop,
>which is part of the production database network. He sees the hash value of
>SYSTEM's password on production and sets the hash value for his own SYSTEM user
>to be the same. Since now he doesn't know the clear text password for SYSTEM
>(Pete Finnigan may know how to find it, though), he can't easily create a
>private database link owned by SYSTEM. He can still create a public link, or a
>private link owned by somebody else, his SYS user e.g. Then what?
>(He can still create a link owned by SYSTEM from another account such as SYS
>using a little bit hacking. But he won't know SYSTEM's password. I don't know
>how security of the production database is compromised in any way)
>Yong Huang
>you wrote:
>Maybe I'm a being a bit touchy here; but it seems that my comments about
>having access to dba_users went completely unnoticed. Let's put it this
>way: There is NO WAY you can prevent somebody from setting up their own
>private oracle instance. It they have access to dba_users in your database,
>they can create the SAME users with the SAME passwords in their private
>database. And they can create database links in their private database.
>Now, is this a problem?
>Do you Yahoo!?
>New Yahoo! Photos - easier uploading and sharing.

Please see the official ORACLE-L FAQ:
Author: Thomas A. La Porte

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sat Dec 20 2003 - 20:34:25 CST

Original text of this message