Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Help: database security

Re: Help: database security

From: Sybrand Bakker <postbus_at_sybrandb.demon.nl>
Date: Sun, 26 Nov 2000 16:08:38 +0100
Message-ID: <8vsu7m$5o925$1@ID-62141.news.dfncis.de> 






I don't understand why you reject *all* my suggestions. Using an ops$
account would allow you to use 'connect / ' in the Pro*C program. As
literals are usually stored legible in the executable and you state the user
connecting is 'very privileged' (which is of course definitely a bad idea),
using the ops$ mechanism (aka OS authentication) doesn't expose an username
and a password anymore.



Regards,



Sybrand Bakker, Oracle DBA





"Wilko" <Wilko_at_yoa.com> wrote in message
news:8vl4k0$hh316_at_inetbws1.citec.com.au...


> Thanks for this help but it doesn't solve

> my problem.

>

> I have a HTML page that calls an API which is

> written in Pro C.  Inside the Pro C code contains

> the connect statement which includes the username

> and password.

>

> No one from the outside can see this information.

> My problem is I want to stop programmers knowing

> knowing a username and password to the database.

>

> The user that is connecting in the Pro C needs a

> fair level of privs. So therefore a programmer can

> look at the Pro C code and use the username and

> password of the very privledged user.

>

> Is there a way around this?

>

> Thanks,

> Chris

>

> In article <8vj0jd$90h$1_at_nnrp1.deja.com>, sybrandb_at_my-deja.com wrote:

> >In article <8vi893$hh315_at_inetbws1.citec.com.au>,

> >  Wilko_at_yoa.com (Wilko) wrote:

> >> Hi All,

> >>

> >> I want to stop programmers being able to log into

> >> the production database and making changes.

> >>

> >> How can I keep the login/password secret when

> >> it is hard coded into the API that connects to the

> >> database.

> >>

> >> I know don't hard code it. But what is the alternative?

> >>

> >> Thanks,

> >> Chris

> >>

> >

> >1 force the users to enter a username and a password

> >2 use a fixed Oracle user and develop your own login mechanism (see

> >http://osi.oracle.com/~tkyte)

> >3 use ops$ accounts

> >4 put passwords on the roles in use. I have a feeling though in this

> >case they would again hardcode it in the app

> >

> >Hth,

> >

Received on Sun Nov 26 2000 - 09:08:38 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US