Re: OPS$LOGIN : security hole?

From: Marek Pytlik <pytlik_at_ra.cs.umb.edu>
Date: 17 Dec 92 01:55:56 GMT
Message-ID: <1992Dec17.015556.29554_at_cs.umb.edu>

In article <8aT=R#A_at_engin.umich.edu> lwk_at_engin.umich.edu (Lewis W Kellum) writes:
>In article <1992Dec15.144220.25349_at_relay.nswc.navy.mil> rlarson_at_nswc-wo.nswc.navy.mil (Ruth Larson) writes:
>>
>>Steve Schow writes:
>>>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>>>way they don't have to worry about anything once they are logged onto the
>>>UNIX machine. They just type program / to run it with their UNIX login info.

>>>Question:

>>>When we create a new user as follows:

>>> grant connect to ops$user identified by bogus;

>>>and we actually use the word 'bogus' as the oracle password.

>>>Does this mean that user ops$user could login to Oracle with either
>>>the /, which would use his UNIX login info, or with 'bogus' as the
>>>password?
>>
>>Yes, this is EXACTLY the case.
>>
>>>Could a user go into sql*plus with any convienient name and type

>>> connect ops$user/bogus

>>>to get into that user's oracle account
>>
>>Again, Yes.
>>
>>>We routinely use bogus to define new oracle users, but I am concerned about
>>>security loop holes. We also use a number of macintosh client products that
>>>use the ops$user with the UNIX password to login. I am beginning to think
>>>that we should make sure that the Oracle password is the same as the UNIX
>>>password and NOT use bogus for everyone?!_at_#%
>>
>>I would NOT suggest making the Oracle password the same as the system password.
>>In many systems the logon password should only be known by the individual
>>user. However, there's now need for *anyone* to have to know the ops$ password
>>for an individual user - he/she doesn't need to know it, and the DBA can
>>always reset it without the user even being aware that it has been reset.
>>So use something random, and different for each ops$ account. I like to pick
>>a 3 or 4 digit (or larger) number and then spell it out in words. Example:
>>two_thousand_three_hundred_eleven. *Nobody* including you will remember
>>*that*, and it's pretty hard to guess!
>
>Here's another question: If I know Mr.Schow's unix login id, and the internet
>hostname of his Oracle server, what keeps me from creating his login id
>on my host and connecting to his ops$ oracle account? - Woody Kellum

sid of the datatabase that is running on that machine. You have to know that to use connect string.

Subject of security hole using OPS$logins and Unix was discussed on this newsgroup before, so maybe you want to look for some archives of that group. (does such exist?). Received on Thu Dec 17 1992 - 02:55:56 CET

This message: [ Message body ]
Next message: Lewis W Kellum: "OPS$LOGIN :security hole?"
Previous message: Peter Steele: "Oracle for Solaris?"
In reply to Stephen Schow: "Question about OPS$LOGIN and Oracle Passwords"
Next in thread: Mark McGloughlin: "Re: OPS$LOGIN : security hole?"
Maybe reply: Lewis W Kellum: "Re: OPS$LOGIN : security hole?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message