Re: need better security with SQL*Net and ORASRV

From: Tony Jambu <aaj_at_cmutual.com.au>
Date: 3 Nov 92 04:10:14 GMT
Message-ID: <1992Nov3.041014.29016_at_cmutual.com.au>

In article <1992Nov2.135623.18274_at_cs.umb.edu>, pytlik_at_ra.cs.umb.edu (Marek Pytlik) writes:
> >>
> >> My problem is with the ORASRV process running I cannot prevent (at
> >> least so far) ANY user from ANY other system running Oracle from gaining
> >> access to MY system's Oracle via SQL*Net. The ORASRV process allows
> >> access to OPS$J user accounts on other system is the username is the
> >> same.
> >
> >For what you want to do, it is possible by starting up your orasrv using
> > "orasrv opsoff"
>
> so here you functionality of ops$login goes down the drain, and each user
> doing login into database has to type over and over password/username.
>

No, what this means is that you are unable to use OPS$login if you are comming across the network ie using SQL*Net. You can still use OPS$login if you are running your program on the host machine (ie you are log on the host).

> >
> >Access using OPS$user_account via SQL*Net is the least of your worries.
>
> why do you think so?

As explained below.

>
> >You should be more concerned about remote access using remote SQLDBA
> >
> > SQLDBA> Connect internal
> > or even
> > SQLDBA> shutdown abort
> >
> >I wont go into details about how this done but to avoid this probable security
> >breach, I suggest that you startup your orasrv using> >
> > "orasrv opsoff dbaoff"
> >
>
> I understand that pre 2.0 sql net has problems with security on some platforms.
> I have experienced that myself on Oracle under Unix. I don't know how this
> is worked out in sqlnet 2.0. Hope they fixed it up.
>

With Oracle 7/SQL*Net V2, you have to connect to the database before your are allowed to carry out any DBA commands in SQLDBA eg startup or shutdown. This fix up a small security hole with the current version of SQL*Net.

You are not not allowed to connect internal thru' SQL*Net if you are not on the host machine no matter what your orasrv DBAON/DBAOFF setting is (V7/Net V2).

With - orasrv DBAON and 
     - you are using TWO_TASK and
     - you are on the host machine

you are still able to connect internal. This is disabled if you start up orasrv with DBAOFF. The message you will get is ORA-01031: insufficient privileges

To to connect to the database, you will need to specify you name/password.

-- 
 _____       ________ / ____ |Tony Jambu, Database Administrator
  /_  __       /_ __ /       |Colonial Mutual Life Australia. (ACN 004021809)
 /(_)/ ((_/ \_/(///(/_)/_(   |EMAIL:  TJambu_at_cmutual.com.au
 \_______/                   |PHONE:  +61-3-6076448       FAX:  +61-3-6076198

Received on Tue Nov 03 1992 - 05:10:14 CET

This message: [ Message body ]
Next message: Peter A. Grant: "ORACLE7 production version"
Previous message: Rick Wessman: "Re: need better security with SQL*Net and ORASRV"
Maybe in reply to: Marek Pytlik: "Re: need better security with SQL*Net and ORASRV"
In reply to Marek Pytlik: "Re: need better security with SQL*Net and ORASRV"
Next in thread: Rick Wessman: "Re: need better security with SQL*Net and ORASRV"
Reply: Rick Wessman: "Re: need better security with SQL*Net and ORASRV"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message