Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security problem
If you're referring to queries based on the v$sql... views, then you can do:
REVOKE monitorer FROM public;
(The utl_montr script creates the monitorer role and grants it to public)
If they're really determined to get into your application and have the skills, they will do it, eventually (they could probably still catch the role passwords on the network).
I think you should work on the assumption that someone will find an alternative route to your application objects and put some auditing in place.
BTW you can use the PRODUCT_... tables to prevent access via SQL*Plus for certain people. This maybe true for other client-side apps.
> Even with encrypted passwords, user can run any of SQL monitorning
utilities
> to detect all Your secure passwords, codes and role-enabling statements. I
> don't know the way to avoid this. Therefore I suggest never use any kind
of
> application-level restrictions. All securuty measures should be always
> perfomed by standard Oracle ways. As far as I know, Oracle doesn't allow
to
> resrtict access by the applications.
>
> --
> Is There A God Or Any Kind Of Justice Under The Sky... (Queen'91)
>
> Igor V. Podolsky (igoryok_at_soft-review.kiev.ua)
>
>
Received on Fri Feb 11 2000 - 10:17:05 CST