Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Preventing SQLPLUS access?
Joe McSheffery <joe_at_vulcan.achq.dnd.ca> escreveu no artigo
<33B1F69A.4CC7_at_vulcan.achq.dnd.ca>...
> Jurij Modic wrote:
> >
> > > On Fri, 6 Jun 1997 18:23:56 GMT, skubiszewski_at_Eisner.DECUS.Org wrote:
> > >
> > > >We have a large user base using a custom-written client-server
application
> > > >with Oracle as the database. Our developers are worried that crafty
users
> > > >will discover that they can use their application signon to come in
via
> > > >SQLPLUS. We don't want anyone manipulating the database from
outside
> > > >the custom application.
> > > >
> > > >Is there an easy way to prevent this from happening?
> >
> The best way I have found is to use the "Product User Profile"
> feature of ORACLE. The only reference I have here at home is in the
> "Oracle DBA Handbook" by Kevin Loney (Pages 298-299 and 400). I think
> the Oracle Doc set ref is in the Installation Guide or the
> Administrators User Guide, I'm not sure.
>
> Basically what the "Product User Profile" feature allows is for the
> DBA to specify what what use/access the users have to what "ORACLE"
> products.
>
Unfortunately, PRODUCT_USER_INFO seems to be searched by the Oracle product and not by the RDBMS at connect time, so if your user is a smart (or not so dumb) he/she will be able to connect to your database using an insidious Microsoft product named MS Query, a component of the Officce 'suite'.
The way we are trying to solve it is to issue to every user a account with on create session and execute on a security package. On connection time the application run some procedures and functions of the package at the rigth order and a role (with password) is set to the user. (default procedure everywhere I look)
More still, I and the Oracle support analyst here are seeing if a trigger on the AUD$ audit table with the audit on for all connect tries will do the job of preventing that even if you have a above the media smart user, he/she will not be able to connect from anything but the application he/she have permission to run.
The support here is seeing if creating a trigger on AUD$ is at the same level that tampering with the dictionary itself. I hope not.
Hope it helps,
-- Aram Meguerian aram_at_unisys.com.br ------------------------------------------------------------------- TANSTAAFL - There ain't no such thing as a free lunch by Robert A. Heinlein ------------------------------------------------------------------- I don't work at Unisys, it is just my Internet Provider, so don't blame it for anything I have just said. -------------------------------------------------------------------Received on Thu Jun 26 1997 - 00:00:00 CDT