Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security Hole on oracle server 7.x & 8.x
Christophe,
I think you are wrong.
>SERVER_B > sqlplus pipo/foo_at_ora_base
>SQL> connect / as sysdba;
>Connected.
>SQL>
When are you giving the command 'connect / as sysdba' on SERVER B, you are
really connecting to the default database on the server B.
To make sure which database you are connecting to, run the following
command:
select * from v$database;
Cheers,
Amulya
Christophe GOBERT wrote:
> I found something strange with ORACLE 8 server that i consider to be a
> security hole.
>
> Suppose you have 2 server A & B
>
> on server A, there is an ORACLE8 server on which you have an oracle
> account with no special privilege.
> sid: ora_base
> user: pipo
> password: foo
>
> on unix server B, you have the ability to create a unix user who belong
> to dba unix group. (this server can be a linux laptop which you have
> plug on the network)
>
> Now if you connect from server B via sqlplus to server A using your
> oracle account, you can become dba on ora_base database:
>
> SERVER_B > sqlplus pipo/foo_at_ora_base
> SQL> connect / as sysdba;
> Connected.
> SQL>
>
> That's all ....... just test it ...
>
> The REMOTE_OS_AUTHENT init parameter doesn't seem to have any influence
> on this kind of connection. I don't know if it exist an other parameter
> that can
> fix the problem ... but if someone know ... please send me the solution.
>
> Conclusion:
> You can easily become dba on an ORACLE server if you have an account on
> the database.
>
> ps: sorry for my poor english but i'am a french junior dba.
>
> Christophe GOBERT
Received on Mon Feb 07 2000 - 05:23:10 CST