Re: Removing ALL_ views from users - more info

From: Jared Still <>
Date: Wed, 1 Apr 2009 09:29:47 -0700
Message-ID: <>

On Wed, Apr 1, 2009 at 9:07 AM, Joey D'Antoni <> wrote:

> It's been a while since I had to do this, so I don't have the code handy.
> Basically, you write an after logon trigger that disallows the database
> connection where the V$SESSION program isn't in the blessed program name OR
> the user isn't in the group (sys, system, et al)

That approach works until someone renames their binary.

The v$session.program field contains whatever the name of the binary is.

eg: I made a copy of sqlplus and called it my_hacker_tool

$> my_hacker_tool '/ as sysdba'

  1 select s.program from v$session s
  2* where s.username is not null
09:27:26 SQL> / PROGRAM (TNS V1-V3)

1 row selected.

Using a trigger to check the name of the binary doesn't really provide much security.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Received on Wed Apr 01 2009 - 11:29:47 CDT

Original text of this message