security breach using TKPROF

Consider the following. You are a DBA and you don't allow developers access to the UDUMP directory. You run TKPROF using the EXPLAIN PLAN option, but you make a mistake entering a password and it ends up in the output .prf file as shown:

error connecting to database using: system/dev8723x1 ORA-01017: invalid username/password; logon denied

EXPLAIN PLAN option disabled.

You send the output TKPROF file to the developer. The developer figures out that the system password to the production database is prod8732x1. You can argue that similar passwords shouldn't be used between development and test and you might have a valid point. Maybe you think developers should be allowed to run TKPROF themselves, but that's not the point. For really tight security, invalid passwords must also be kept secret. It really isn't proper for invalid passwords to be recorded into files for which there is even a remote chance of being read by the wrong person.

Sent via Deja.com http://www.deja.com/
Before you buy. Received on Thu Jan 13 2000 - 11:14:30 CST