Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: OEM permissions

RE: OEM permissions

From: Thomas A. La Porte <tlaporte_at_anim.dreamworks.com>
Date: Sat, 20 Dec 2003 18:34:25 -0800
Message-ID: <F001.005DA8E2.20031220183425@fatcity.com> 





I believe the point is not that you can create links to SYS or 
SYSTEM accounts, but instead to application accounts, e.g. if I 
created a link from my private database to the company's HR 
database using a duplicated HR_MANAGER schema, I may be able to 
access data that I otherwise should not have.






Thomas A. La Porte, DreamWorks SKG


<mailto:tlaporte_at_anim.dreamworks.com>          



On Sat, 20 Dec 2003, Yong Huang wrote:



>Hi,

>

>I think you're describing a real security hole. But I'm not sure how it's

>exploited exactly. Let's say John Doe sets up his database on his desktop,

>which is part of the production database network. He sees the hash value of

>SYSTEM's password on production and sets the hash value for his own SYSTEM user

>to be the same. Since now he doesn't know the clear text password for SYSTEM

>(Pete Finnigan may know how to find it, though), he can't easily create a

>private database link owned by SYSTEM. He can still create a public link, or a

>private link owned by somebody else, his SYS user e.g. Then what?

>

>(He can still create a link owned by SYSTEM from another account such as SYS

>using a little bit hacking. But he won't know SYSTEM's password. I don't know

>how security of the production database is compromised in any way)

>

>Yong Huang

>

>you wrote:

>

>Maybe I'm a being a bit touchy here; but it seems that my comments about

>having access to dba_users went completely unnoticed.  Let's put it this

>way: There is NO WAY you can prevent somebody from setting up their own

>private oracle instance.  It they have access to dba_users in your database,

>they can create the SAME users with the SAME passwords in their private

>database.  And they can create database links in their private database.

>

>Now, is this a problem?

>

>__________________________________

>Do you Yahoo!?

>New Yahoo! Photos - easier uploading and sharing.

>http://photos.yahoo.com/

>



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Thomas A. La Porte
  INET: tlaporte_at_anim.dreamworks.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sat Dec 20 2003 - 20:34:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US