Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: using set role command in a logon trigger -- got something implemented - now security question

Re: using set role command in a logon trigger -- got something implemented - now security question

From: Wolfgang Breitling <breitliw_at_centrexcc.com>
Date: Fri, 13 Apr 2007 07:34:42 -0600
Message-Id: <20070413133503.35C716B8736@turing.freelists.org>


That's why I said it depends on how sys_context determines the user's environment module name. If it's simply by program name then it is obviously very easy as I demonstrated. If it is by the application module name then it may be more difficult but probably not impossible. Whatever the application is doing to establish its sys_context one can likely fake. The biggest hurdle (for a would-by hacker) is probably to find out what it is that needs to be faked.

At 05:19 AM 4/13/2007, rjamya wrote:
>Wolfgang,
>
>true, but remember, the logon trigger will fire after you login and
>before you get your prompt back to issue the exec
>dbms_application_info command.
>
>Laura,
>
>if you are that worried, revoke dbms_application_info from public
>and grant it at the end of the trigger. Spoofing will require user
>to execute some code, which obviously cannot be done until login
>process is complete.
>
>Am I missing anything?
>rjamya
>
>On 4/12/07, Wolfgang Breitling
><<mailto:breitliw_at_centrexcc.com>breitliw_at_centrexcc.com> wrote:
>
>I am getting out on a limb here to say "most likely yes". How
>difficult it is depends to some degree on how your sys_context
>determines "the users environment module name".

Regards

Wolfgang Breitling
Centrex Consulting Corporation
www.centrexcc.com



This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email
--
http://www.freelists.org/webpage/oracle-l
Received on Fri Apr 13 2007 - 08:34:42 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US