RE: Privileges by session

From: D'Hooge Freek <>
Date: Wed, 13 Jan 2010 11:07:19 +0100
Message-ID: <>

Checking the name of the application is pointless as it is so easy to fool. You only need to change the name of the application:

C:\>rename c:\oracle\product\10.2.0\client_1\BIN\sqlplus.exe sqlplus2.exe

C:\>sqlplus2 sys_at_gunnar.dargo.farscape as sysdba

SQL*Plus: Release - Production on Wed Jan 13 11:04:51 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter password:

Connected to:
Oracle Database 10g Enterprise Edition Release - Production With the Partitioning and Data Mining options

INSTANCE_NAME    HOST_NAME                      STATUS
---------------- ------------------------------ ------------
GUNNAR           dargo.farscape                 OPEN

sys_at_GUNNAR> select program from v$session where sid = (select distinct sid from v$mystat);



Freek D'Hooge
Oracle Database Administrator
tel +32(0)3 451 23 82

From: [] On Behalf Of Yechiel Adar Sent: dinsdag 12 januari 2010 18:40
Cc:; Subject: Re: Privileges by session

Sure, but:
1) How many are worth employment?   :-)
2) Adding check on the source, that should be production servers that the developers has no access to, will help.

Adar Yechiel
Rechovot, Israel

Jared Still wrote:
On Tue, Jan 12, 2010 at 4:54 AM, Yechiel Adar <> wrote:

2) Put in a login trigger that will fail all logon with the application user but with other programs like SQLPLUS or TOAD.

Any developer worth employing can circumvent a trigger that checks executable names.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: Home Page:

Received on Wed Jan 13 2010 - 04:07:19 CST

Original text of this message