| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Slightly OT: Java in the DB
Note that you can't grant sysdba to public, because public is internally a
role ;)
Tanel.
----- Original Message -----
From: "Mladen Gogala" <mladen_at_wangtrading.com>
To: <oracle-l_at_freelists.org>
Sent: Tuesday, February 24, 2004 5:40 PM
Subject: Re: Slightly OT: Java in the DB
> One possible solution is to grant SYSDBA to public. If user's password
> expire, he can always go to his neighbor to fix him up. If he thinks
> that the database is slow, he can bounce it and speed it up. He can make
room
> in the database by dropping the other user's tables, the ones that he
doesn't
> need and the furious owner can retaliate by dropping the whole tablespace.
> Life would be very interesting that way.
>
>
> On 02/24/2004 10:18:31 AM, "Vergara, Michael (TEM)" wrote:
> > No...each user has to enter their own old password into a
> > field on the web form, then enter their new password. If
> > the old password is incorrect, the process *should* throw
> > an error.
> >
> > The only way Bob could change Susan's password is if he
> > knows the old one. That never happens, does it? ;)
> >
> > But that does give me the idea of an administrator-type
> > function to change another user's password, similar to
> > a DBA's use of 'alter user...'.
> >
> > And I know I am displaying my ignorance here, but what is
> > 'SQL Injection'?
> >
> > Cheers,
> > Mike
> >
> >
> > -----Original Message-----
> > From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]
> > Sent: Monday, February 23, 2004 5:52 PM
> > To: oracle-l_at_freelists.org
> > Subject: RE: Slightly OT: Java in the DB
> >
> >
> >
> > I'm not a security expert, but it seems to me there are some
> > exploits you would need to take into consideration.
> >
> > SQL Injection comes to mind.
> >
> > Also, if 2+ users have expired passwords, do you have a
> > mechanism to prevent user Bob (with an expired account )
> > from changing Susans password ( also expired ) ?
> >
> > Are the passwords generated and then mailed to the correct user?
> >
> > Jared
> >
> >
> >
> >
> >
> > "Vergara, Michael (TEM)" <mvergara_at_guidant.com>
> > Sent by: oracle-l-bounce_at_freelists.org
> >
> >
> > 02/23/2004 03:20 PM
> > Please respond to oracle-l
> >
> >
> >
> > To: <oracle-l_at_freelists.org>
> > cc:
> > Subject: RE: Slightly OT: Java in the DB
> >
> >
> >
> > Ahhh...but that's the trick! The user's only authentication is
> > to the admin database. Once the user clicks on 'Submit' I
> > was intending to hand it off to a PL/SQL module owned by an
> > admin user. The 'real' user never sees that part.
> >
> > -----Original Message-----
> > From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]
> > Sent: Monday, February 23, 2004 3:09 PM
> > To: oracle-l_at_freelists.org
> > Subject: RE: Slightly OT: Java in the DB
> >
> >
> > Creating an app that allows users to connect to the database as a
> > DBA to change a passwords sounds like it have good potential
> > for security holes.
> >
> > You sure you want to do this?
> >
> > How often does a user with an expired account really need to do this?
> >
> > Jared
> >
> >
> >
> > "Vergara, Michael (TEM)" <mvergara_at_guidant.com>
> > Sent by: oracle-l-bounce_at_freelists.org
> >
> >
> > 02/23/2004 01:11 PM
> > Please respond to oracle-l
> >
> >
> > To: <oracle-l_at_freelists.org>
> > cc:
> > Subject: RE: Slightly OT: Java in the DB
> >
> >
> >
> >
> > What I am trying to do seems so simple that I still cannot
> > believe I'm not done yet!
> >
> > I want to build a web page where a 'normal' (non-privileged)
> > user can go, enter his/her login, see a list of the DB's
> > where he/she has an account, enter a new password, click a
> > checkbox (or -boxes), and have the web page call a <Choose-
> > the-utility-here> routine to go out and update the user's
> > password on the selected DBs.
> >
> > I can do everything except get the DB update to work.
> >
> > There's no daemon. This is intended to be an on-demand
> > utility. There's a central server/instance that has
> > definitions to all the DBs in the TNSNAMES.ORA file. From
> > this DB I harvest the user logins nightly, to build the list
> > to present to the user. I *know* I can connect, although to
> > do the harvest I create a temporary database link, instead of
> > using Java or whatever.
> >
> > It's the silly step of changing the password. The problem is
> > that the user may wait until after the p/w has expired, so they
> > cannot log in. I found the OCINewPassword routine will do a
> > password change even on a expired login. But ARG! This is
> > the second (or is it third) method I've tried and they have all
> > had one kind of issue or another.
> >
> > Any more suggestions?
> >
> > Thanks,
> > Mike
> >
> >
> > -----Original Message-----
> > From: Mladen Gogala [mailto:mladen_at_wangtrading.com]
> > Sent: Monday, February 23, 2004 12:21 PM
> > To: oracle-l_at_freelists.org
> > Subject: Re: Slightly OT: Java in the DB
> >
> >
> > Exactly what are you trying to do? For having a daemon (or demon,
> > for that matter) lurking in the darnkness of the central server and
> > resetting expired passwords, the daemon needs to maintain a permanent
> > connection with sufficient privileges to change any user's password,
> > typically, a dba connection. If your DBA doesn't use profiles, with
> > the idle time limitation, you can have a permanently connected process
> > which would change password as soon as it was signalled to him. The
> > question is: what would the password be changed to? There are strings
> > which are extremely hard tu guess (username, "qwerty", "password",
"tiger")
> > and which would make your username secure. At one of my places of
> > work, I've witnessed the following story: a tech support expert leaves
> > a unix worsktation logged in, as root, and goes home at 6 PM, when
cleaning
> > ladies entered the office. One of the cleaning ladies had a 14 years old
> > son which wanted to check the old joke with "rm -rf /". He found out
> > that it really does destroy everything on a unix system. Now, you are
absent,
> > your password expires at 7 P.M. and there is an eager help desk person
who
> > wants to test "drop tablescpace FIN_DATA including contents and
datafiles
> > cascade constraints" that he or she has seen written somewhere. I'll
leave
> > the rest of the story to you.
> >
> > ----------------------------------------------------------------
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > ----------------------------------------------------------------
> > To unsubscribe send email to: oracle-l-request_at_freelists.org
> > put 'unsubscribe' in the subject line.
> > --
> > Archives are at http://www.freelists.org/archives/oracle-l/
> > FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
> > -----------------------------------------------------------------
> >
> >
> >
> >
> >
> >
> ----------------------------------------------------------------
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> ----------------------------------------------------------------
> To unsubscribe send email to: oracle-l-request_at_freelists.org
> put 'unsubscribe' in the subject line.
> --
> Archives are at http://www.freelists.org/archives/oracle-l/
> FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
> -----------------------------------------------------------------
>
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Tue Feb 24 2004 - 09:58:20 CST
 |
 |