Re: Removing ALL_ views from users - more info
Date: Wed, 1 Apr 2009 09:29:47 -0700
On Wed, Apr 1, 2009 at 9:07 AM, Joey D'Antoni <jdanton1_at_yahoo.com> wrote:
> It's been a while since I had to do this, so I don't have the code handy.
> Basically, you write an after logon trigger that disallows the database
> connection where the V$SESSION program isn't in the blessed program name OR
> the user isn't in the group (sys, system, et al)
That approach works until someone renames their binary.
The v$session.program field contains whatever the name of the binary is.
eg: I made a copy of sqlplus and called it my_hacker_tool
$> my_hacker_tool '/ as sysdba'
1 select s.program from v$session s
2* where s.username is not null
09:27:26 SQL> / PROGRAM
my_hacker_tool_at_ordevdb01.radisys.com (TNS V1-V3)
1 row selected.
Using a trigger to check the name of the binary doesn't really provide much security.
Certifiable Oracle DBA and Part Time Perl Evangelist