Re: Question about OPS$LOGIN and Oracle Passwords
Date: 17 Dec 92 21:31:05 GMT
Message-ID: <dave.724627865_at_base>
lev_at_ipxed5.nswses.navy.mil (Lloyd E Vancil) writes:
>In article <1992Dec14.200952.22697_at_netcom.com> sjs_at_netcom.com (Stephen Schow) writes:
>>We routinely use the OPS$LOGIN feature of Oracle for all of our users. This
>>way they don't have to worry about anything once they are logged onto the
>>UNIX machine. They just type program / to run it with their UNIX login info.
>>
>>Question:
>>
>>Could a user go into sql*plus with any convienient name and type
>>
>> connect ops$user/bogus
>>
>>to get into that user's oracle accoun
>Emphatically YES
>This is a known security hole in the OPS$ user under oracle 6..
>I am not aware of the fix if any in trusted oracle or in
>oracle7.
The syntax in ORACLE7 would be:
create user <user_name> identified externally;
The <user_name> would be something of the order OPS$DAVE, i.e.
create user ops$dave identified externally;
This would create a database user called ops$dave identified by the operating system userid of dave.
However, you could specify
os_authent_prefix=""
in the init.ora file so that OPS$ would not be necessary, the same
definition would then be
create user dave identified externally;
This would create a database user called dave identified by the operating system userid of dave.
To prevent these accounts from being used over a network, set the following init.ora parameter
remote_os_authent=false (I'm not sure that I remember the name
exactly)
Hope this helps,
Dave Dargo (ddargo_at_oracle.com)
Received on Thu Dec 17 1992 - 22:31:05 CET