Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Preventing SQLPLUS access?

Re: Preventing SQLPLUS access?

From: Aram Meguerian <aram_at_unisys.com.br>
Date: 1997/06/26
Message-ID: <01bc829f$d8752ca0$4b02dcc8@psaphos>#1/1 







Joe McSheffery <joe_at_vulcan.achq.dnd.ca> escreveu no artigo
<33B1F69A.4CC7_at_vulcan.achq.dnd.ca>...


> Jurij Modic wrote:

> > 

> > > On Fri, 6 Jun 1997 18:23:56 GMT, skubiszewski_at_Eisner.DECUS.Org wrote:

> > >

> > > >We have a large user base using a custom-written client-server

 application


> > > >with Oracle as the database.  Our developers are worried that crafty

 users


> > > >will discover that they can use their application signon to come in

 via


> > > >SQLPLUS.  We don't want anyone manipulating the database from

 outside
 


> > > >the custom application.

> > > >

> > > >Is there an easy way to prevent this from happening?

> > 

>     The best way I have found is to use the "Product User Profile"

> feature of ORACLE.  The only reference I have here at home is in the

> "Oracle DBA Handbook" by Kevin Loney (Pages 298-299 and 400).  I think

> the Oracle Doc set ref is in the Installation Guide or the

> Administrators User Guide, I'm not sure.

> 

>     Basically what the "Product User Profile" feature allows is for the

> DBA to specify what what use/access the users have to what "ORACLE"

> products.

> 



     Unfortunately, PRODUCT_USER_INFO seems to be searched by the Oracle
   product and not by the RDBMS at connect time, so if your user is a
   smart (or not so dumb) he/she will be able to connect to your database
   using an insidious Microsoft product named MS Query, a component of
   the Officce 'suite'.



      The way we are trying to solve it is to issue to every user a 
   account with on create session and execute on a security package.
   On connection time the application run some procedures and functions
   of the package at the rigth order and a role (with password) is set 
   to the user. (default procedure everywhere I look)



      More still, I and the Oracle support analyst here are seeing if
   a trigger on the AUD$ audit table with the audit on for all connect
   tries will do the job of preventing that even if you have a above 
   the media smart user, he/she will not be able to connect from 
   anything but the application he/she have permission to run.



      The support here is seeing if creating a trigger on AUD$ is at the
   same level that tampering with the dictionary itself. I hope not.



      Hope it helps,
   

-- 

                     Aram Meguerian
                     aram_at_unisys.com.br

-------------------------------------------------------------------
  TANSTAAFL - There ain't no such thing as a free lunch 
                                           by Robert A. Heinlein
-------------------------------------------------------------------
     I don't work at Unisys, it is just my Internet Provider, 
     so don't blame it for anything I have just said.
-------------------------------------------------------------------


Received on Thu Jun 26 1997 - 00:00:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US