Re: using set role command in a logon trigger -- got something implemented - now security question

Wolfgang,

true, but remember, the logon trigger will fire after you login and before you get your prompt back to issue the exec dbms_application_info command.

Laura,

if you are that worried, revoke dbms_application_info from public and grant it at the end of the trigger. Spoofing will require user to execute some code, which obviously cannot be done until login process is complete.

Am I missing anything?
rjamya

On 4/12/07, Wolfgang Breitling <breitliw_at_centrexcc.com> wrote:
>
>
> At 09:05 AM 4/12/2007, laura pena wrote:
> >Just to provide feedback here, I actually got this implemented using
> >the 10g feature creating application roles via schema packages.
> >Thanks for the link below Sriram.
> >
> >The user is configured to execute a schema package created as the
> >system user with AUTHID CURRENT_USER.
> >
> >The schema package uses sys_context to check the users environment
> >module name to determine which application is running. If it's the
> >"approved" module, permission to update,delete, insert into this
> >schema are granted via dbms_session.set_role to the logged in user.
> >
> >The application itself needed to modified to call this stored
> >procedure on login (it does more checks as well). All users allowed
> >to user this application configured to use this stored procedure.
> >
> >Works great. Except now I have a security question?
> >
> >Can a user spoof the sys_context environment module name ?
> >So say the user wants to have super privs within toad? Can he/she
> >change the module toad.exe to the module name of the application.
> >So they may have super privs to the applications tables now?
>
> I am getting out on a limb here to say "most likely yes". How
> difficult it is depends to some degree on how your sys_context
> determines "the users environment module name".
> If it's just from the program name that would be very easy to fake.
> By just creating a copy of sqlplus as toad I get the following:
> 11:59:02 ora92.scott> exec print_table('select * from v$session where
> sid=9'
> SADDR : 30A6BB08
> SID : 9
> SERIAL# : 3594
> AUDSID : 5325
> PADDR : 30A41044
> USER# : 40
> USERNAME : SCOTT
> COMMAND : 0
> OWNERID : 2147483644
> TADDR :
> LOCKWAIT :
> STATUS : ACTIVE
> SERVER : DEDICATED
> SCHEMA# : 40
> SCHEMANAME : SCOTT
> OSUSER : FERRARI\Wolfgang
> PROCESS : 8036:7572
> MACHINE : CENTREX\FERRARI
> TERMINAL : FERRARI
> PROGRAM : toad.exe
> TYPE : USER
> SQL_ADDRESS : 320733AC
> SQL_HASH_VALUE : 2876145831
> PREV_SQL_ADDR : 320733AC
> PREV_HASH_VALUE : 2876145831
> MODULE : SQL*Plus
> MODULE_HASH : 3669949024
> ACTION : 2007-04-12 11:55:54
> ACTION_HASH : 1061060199
> CLIENT_INFO :
> FIXED_TABLE_SEQUENCE : 66
> ROW_WAIT_OBJ# : 30146
> ROW_WAIT_FILE# : 7
> ROW_WAIT_BLOCK# : 0
> ROW_WAIT_ROW# : 0
> LOGON_TIME : 2007-04-12 11:55:52
> LAST_CALL_ET : 0
> PDML_ENABLED : NO
> FAILOVER_TYPE : NONE
> FAILOVER_METHOD : NONE
> FAILED_OVER : NO
> RESOURCE_CONSUMER_GROUP : DEFAULT_CONSUMER_GROUP
> PDML_STATUS : DISABLED
> PDDL_STATUS : ENABLED
> PQ_STATUS : ENABLED
> CURRENT_QUEUE_DURATION : 0
> CLIENT_IDENTIFIER :
> -----------------
>
> The program name is now toad.exe, but the module is still sql*plus
> because sqlplus sets it via a call to
> dbms_application_info.set_module. In order to change that I need to
> intercept that and change the value to something else. Not at all
> impossible to do. Just depends on the determination and knowledge of
> the developer.
>
>
> Regards
>
> Wolfgang Breitling
> Centrex Consulting Corporation
> www.centrexcc.com
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
-----
Best regards
RJamya
-------------------------------------------

--
http://www.freelists.org/webpage/oracle-l