Re: Removing ALL_ views from users - more info

From: Jared Still <jkstill_at_gmail.com>
Date: Wed, 1 Apr 2009 09:29:47 -0700
Message-ID: <bf46380904010929x15c9303nad085641b221e797_at_mail.gmail.com>

On Wed, Apr 1, 2009 at 9:07 AM, Joey D'Antoni <jdanton1_at_yahoo.com> wrote:

> It's been a while since I had to do this, so I don't have the code handy.
> Basically, you write an after logon trigger that disallows the database
> connection where the V$SESSION program isn't in the blessed program name OR
> the user isn't in the group (sys, system, et al)
>

That approach works until someone renames their binary.

The v$session.program field contains whatever the name of the binary is.

eg: I made a copy of sqlplus and called it my_hacker_tool

$> my_hacker_tool '/ as sysdba'

1 select s.program from v$session s
2* where s.username is not null
09:27:26 SQL> / PROGRAM

my_hacker_tool_at_ordevdb01.radisys.com (TNS V1-V3)

1 row selected.

Using a trigger to check the name of the binary doesn't really provide much security.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Apr 01 2009 - 11:29:47 CDT

This message: [ Message body ]
Next message: Jared Still: "Re: Change of hostname"
Previous message: Joey D'Antoni: "Re: Removing ALL_ views from users - more info"
In reply to: Joey D'Antoni: "Re: Removing ALL_ views from users - more info"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message