Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security problem

Re: Security problem

From: Graham Bleach <itdcgb_at_its.spamfree.hants.gov.uk>
Date: Fri, 11 Feb 2000 16:17:05 -0000
Message-ID: <881ch7$cu3$1@news.hants.gov.uk>


If you're referring to queries based on the v$sql... views, then you can do:

REVOKE monitorer FROM public;

(The utl_montr script creates the monitorer role and grants it to public)

If they're really determined to get into your application and have the skills, they will do it, eventually (they could probably still catch the role passwords on the network).

I think you should work on the assumption that someone will find an alternative route to your application objects and put some auditing in place.

BTW you can use the PRODUCT_... tables to prevent access via SQL*Plus for certain people. This maybe true for other client-side apps.

> Even with encrypted passwords, user can run any of SQL monitorning
utilities
> to detect all Your secure passwords, codes and role-enabling statements. I
> don't know the way to avoid this. Therefore I suggest never use any kind
of
> application-level restrictions. All securuty measures should be always
> perfomed by standard Oracle ways. As far as I know, Oracle doesn't allow
to
> resrtict access by the applications.
>
> --
> Is There A God Or Any Kind Of Justice Under The Sky... (Queen'91)
>
> Igor V. Podolsky (igoryok_at_soft-review.kiev.ua)
>
>
Received on Fri Feb 11 2000 - 10:17:05 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US