| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: using set role command in a logon trigger -- got something implemented - now security question
At 09:05 AM 4/12/2007, laura pena wrote:
>Just to provide feedback here, I actually got this implemented using
>the 10g feature creating application roles via schema packages.
>Thanks for the link below Sriram.
>
>The user is configured to execute a schema package created as the
>system user with AUTHID CURRENT_USER.
>
>The schema package uses sys_context to check the users environment
>module name to determine which application is running. If it's the
>"approved" module, permission to update,delete, insert into this
>schema are granted via dbms_session.set_role to the logged in user.
>
>The application itself needed to modified to call this stored
>procedure on login (it does more checks as well). All users allowed
>to user this application configured to use this stored procedure.
>
>Works great. Except now I have a security question?
>
>Can a user spoof the sys_context environment module name ?
>So say the user wants to have super privs within toad? Can he/she
>change the module toad.exe to the module name of the application.
>So they may have super privs to the applications tables now?
I am getting out on a limb here to say "most likely yes". How difficult it is depends to some degree on how your sys_context determines "the users environment module name". If it's just from the program name that would be very easy to fake. By just creating a copy of sqlplus as toad I get the following: 11:59:02 ora92.scott> exec print_table('select * from v$session where sid=9'
SADDR : 30A6BB08 SID : 9 SERIAL# : 3594 AUDSID : 5325 PADDR : 30A41044 USER# : 40 USERNAME : SCOTT COMMAND : 0 OWNERID : 2147483644 TADDR : LOCKWAIT : STATUS : ACTIVE SERVER : DEDICATED SCHEMA# : 40 SCHEMANAME : SCOTT OSUSER : FERRARI\Wolfgang PROCESS : 8036:7572 MACHINE : CENTREX\FERRARI TERMINAL : FERRARI PROGRAM : toad.exe TYPE : USER SQL_ADDRESS : 320733AC SQL_HASH_VALUE : 2876145831 PREV_SQL_ADDR : 320733AC PREV_HASH_VALUE : 2876145831 MODULE : SQL*Plus MODULE_HASH : 3669949024 ACTION : 2007-04-12 11:55:54 ACTION_HASH : 1061060199 CLIENT_INFO : FIXED_TABLE_SEQUENCE : 66 ROW_WAIT_OBJ# : 30146 ROW_WAIT_FILE# : 7 ROW_WAIT_BLOCK# : 0 ROW_WAIT_ROW# : 0 LOGON_TIME : 2007-04-12 11:55:52 LAST_CALL_ET : 0 PDML_ENABLED : NO FAILOVER_TYPE : NONE FAILOVER_METHOD : NONE FAILED_OVER : NO RESOURCE_CONSUMER_GROUP : DEFAULT_CONSUMER_GROUP PDML_STATUS : DISABLED PDDL_STATUS : ENABLED PQ_STATUS : ENABLED CURRENT_QUEUE_DURATION : 0 CLIENT_IDENTIFIER : -----------------
The program name is now toad.exe, but the module is still sql*plus
because sqlplus sets it via a call to
dbms_application_info.set_module. In order to change that I need to
intercept that and change the value to something else. Not at all
impossible to do. Just depends on the determination and knowledge of
the developer.
Regards
Wolfgang Breitling
Centrex Consulting Corporation
www.centrexcc.com
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Apr 12 2007 - 13:15:29 CDT
 |
 |