Re: Becoming a user - 10g issue
Date: Thu, 21 Aug 2008 21:35:23 -0700 (PDT)
I'm glad you brought up the issue of auditing. Let me focus on the technical aspect of it, and leave the non-technical discussion to managers or whoever interested.
When you execute procedure anotheruser.procedurename as sys to create the db link in his schema, dba_audit_trail by default will not record it (assuming "audit create database link" was done earlier). It *is* a problem for auditing. If that's the concern, or inconvenience in finding who did it, then the DBAs should always use this trick when logged on as a DBA but not sys such as system, because dba_audit_trail.username will show "SYSTEM" for this action. Alternatively, just enable audit_sys_operations if sys should be monitored.
- Mark Brinsmead <pythianbrinsmead_at_gmail.com> wrote:
> Yes. You can use this trick to do just about anything as any user -- all
> you need is create any procedure and execute any procedure.
> Of course, if auditors are likely to complain about (mis-)use of ALTER USER,
> what are they likely to say about this.
> Apply caution -- in may places performing actions like either of these
> without proper authorization can be firing offenses, or worse, could even
> result in criminal prosecution! (And simply having the necessary privileges
> is *not* authorization!)
> On Thu, Aug 21, 2008 at 4:09 PM, Jared Still <jkstill_at_gmail.com> wrote:
> > Clever solution.
> > On Thu, Aug 21, 2008 at 1:54 PM, Yong Huang <yong321_at_yahoo.com> wrote:
> >> What I usually do to create a private DB link or stop or start another
> >> user's
> >> DBMS job, is to create a temporary procedure in that schema:
> >> conn system
> >> create or replace procedure yhuang.p as
> >> begin
> >> execute immediate 'create database link remotedb
> >> connect to remoteuser identified by thepassword using ''remotedb''';
> >> end;
> >> /
> >> exec yhuang.p
> >> drop procedure yhuang.p;
> >> The advantage is you don't change that user's password even for a
> >> subsecond. So
> >> there's no risk in that respect.
> >> I wish Oracle would support "create database link theuser.linkname...", or
> >> give
> >> us a general method as Windows's "Run as" functionality.
> > --
> > Jared Still
> > Certifiable Oracle DBA and Part Time Perl Evangelist
> -- Mark Brinsmead
> Senior DBA,
> The Pythian Group