| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: OEM permissions
There's no reason I can see that he couldn't create the dblink first, and then reset the password using the encrypted value. Alternately, the dblink could be created using the DBMS_SYS_SQL package... no knowledge of the current password required.
create database link foo connect to current_user using 'bar';
-----Original Message-----
Yong Huang
Sent: Saturday, December 20, 2003 2:29 PM
To: Multiple recipients of list ORACLE-L
Hi,
I think you're describing a real security hole. But I'm not sure how it's
exploited exactly. Let's say John Doe sets up his database on his desktop,
which is part of the production database network. He sees the hash value of
SYSTEM's password on production and sets the hash value for his own SYSTEM user
to be the same. Since now he doesn't know the clear text password for SYSTEM
(Pete Finnigan may know how to find it, though), he can't easily create a
private database link owned by SYSTEM. He can still create a public link, or a
private link owned by somebody else, his SYS user e.g. Then what?
(He can still create a link owned by SYSTEM from another account such as SYS
using a little bit hacking. But he won't know SYSTEM's password. I don't know
how security of the production database is compromised in any way)
Yong Huang
you wrote:
Maybe I'm a being a bit touchy here; but it seems that my comments about having access to dba_users went completely unnoticed. Let's put it this way: There is NO WAY you can prevent somebody from setting up their own private oracle instance. It they have access to dba_users in your database, they can create the SAME users with the SAME passwords in their private database. And they can create database links in their private database.
Now, is this a problem?
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Yong Huang INET: yong321_at_yahoo.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-LReceived on Sat Dec 20 2003 - 23:14:24 CST
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Norris, Gregory T [ITS] INET: gregory.t.norris_at_mail.sprint.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
 |
 |