Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security Hole on oracle server 7.x & 8.x
This is not a bug. When you did the second connect, you disconnected from the
database on server A and connected to the database on server B.
Rick
Christophe GOBERT <willier98_at_yahoo.com> writes:
> I found something strange with ORACLE 8 server that i consider to be a
> security hole.
>
> Suppose you have 2 server A & B
>
> on server A, there is an ORACLE8 server on which you have an oracle
> account with no special privilege.
> sid: ora_base
> user: pipo
> password: foo
>
> on unix server B, you have the ability to create a unix user who belong
> to dba unix group. (this server can be a linux laptop which you have
> plug on the network)
>
>
> Now if you connect from server B via sqlplus to server A using your
> oracle account, you can become dba on ora_base database:
>
> SERVER_B > sqlplus pipo/foo_at_ora_base
> SQL> connect / as sysdba;
> Connected.
> SQL>
>
> That's all ....... just test it ...
>
> The REMOTE_OS_AUTHENT init parameter doesn't seem to have any influence
> on this kind of connection. I don't know if it exist an other parameter
> that can
> fix the problem ... but if someone know ... please send me the solution.
>
>
>
>
> Conclusion:
> You can easily become dba on an ORACLE server if you have an account on
> the database.
>
>
> ps: sorry for my poor english but i'am a french junior dba.
>
>
> Christophe GOBERT
>
>
>
>
>
--
Rick Rick Wessman Security and Directory Technologies Server Technologies Oracle Corporation rwessman_at_us.oracle.com The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation.Received on Mon Feb 07 2000 - 07:40:44 CST