Re: How to disable '$' DCL shell?
Date: Sat, 07 Nov 92 21:02:10 EST
Message-ID: <B7DwTB3w165w_at_vicuna.ocunix.on.ca>
Steve Frampton <frampton_at_vicuna.ocunix.on.ca> wrote:
> Hi everyone:
>
> I would like to find out how to disable the '$' shell to DCL from SQLPLUS
> for the comp. services dept. _at_ my place of employment. This seems to be
> somewhat of a security hole and if there is a simple way to disable users
> from accessing it how is it done?
As promised, I am following up here with a summary. Special thanks to all who responded:
sinha_at_bms.com, rsingi_at_penuts.enet.dec.com, rwk_at_netcom.com, hatzinger_m_at_bmwf1f.bmwf.gv.at, jbennett_at_netcom.com, andy_at_homebase.vistachrome.com ...and anyone else who happened to respond just during or afterI put together this followup.
Although the above people could have told me to RTFM (someone told me that the information was in Appendix E of the SQL*Plus manual -- but gave me the pertinent information anyways), they were all very helpful, telling me basically to add an entry to the 'PRODUCT_USER_PROFILE' table to disable any required commands for unauthorized users.
The trick is to log into ORACLE as system and insert the required info into the table similar to:
insert into PRODUCT_USER_PROFILE
(PRODUCT,USERID,ATTRIBUTE,CHAR_VALUE) values ('SQL*Plus','OPS%','HOST','DISABLED');
'SQL*Plus' must be entered in exactly as shown, and the userid as well as the attribute (command) must be entered in uppercase. The userid may be a specific userid, or wildcards can be used as well.
To re-enable a command simply delete the row from the database.
It was also suggested that I should make sure other users do not have access to the PRODUCT_USER_PROFILE table or they would be able to simply circumvent any changes made!
Thanks again for all the timely and helpful responses!
+-----------------------------------------------+--------------------+ | Steve Frampton - frampton_at_vicuna.ocunix.on.ca | Steve Frampton | | I collect postcards! If you send me one from | 501-A Princess St. || your area, I'll send one in return. Send to >| Kingston, Ontario | | (Don't forget both email and mailing address) | CANADA K7L 1C3 |
+-----------------------------------------------+--------------------+Received on Sun Nov 08 1992 - 03:02:10 CET