Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security problem
In article <uuoPhd8b$GA.363_at_net025s> uw.naam_at_hetnet.nl writes:
>Scott Kronheim heeft geschreven in bericht <389B1650.3AFAD0B3_at_synertechsystems.com>...
>>The privileges assigned to a non-default role are not utilized by a
>>user's session until the SET ROLE command is issued. Therefore, when a
>>user logs into the database using anything other than your application,
>>they won't have privileges to do anything with your application
>>objects. Also, the SET ROLE command has a session-level scope, so when
>>your application disconnects from the database, the privileges disappear.
>What Scott Kornheim is suggesting is certainly a way to enhance your
>application's security.
>This isn't water tight though: if your end user can use client software that
>can issue the SET ROLE command, there is nothing at the server side that
>will stop this, and then the user will have all the privileges of the role.
You could use password protected ROLES and encrypt the hardcoded password string in your application code to prevent the user from using a strings type utility to dump ASCII strings from your binaries.
Philip
---=====================================================================---Philip Chee: Tasek Corporation Berhad, P.O.Box 254, 30908 Ipoh, MALAYSIA e-mail: philip_at_aleytys.pc.my Voice:+60-5-545-1011 Fax:+60-5-547-3932 Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.---