Re: Database Links and security

In article 23nmh7INNjnq_at_gap.caltech.edu, dbikle_at_cco.caltech.edu (Daniel B. Bikle) writes:
>ttg242_at_newton.sps.mot.com (David Thornewill von Essen) writes:
>
>>In article mla_at_132.203.6.11, mla_at_132.203.6.11 (Michel Lalonde) writes:
>>>If we create the database link with the 'connect to' option,
>>>password changing for those super-users can by managed by a dba
>>>but then, anyone who can read the data dictionnary ('select any
>>>table' is so practical for developers), can read the password ...
>>>Is there any known solution ...
>>>
>>How are they going to read the password??? Only the DBA has access
>>to encrypted values of the password (not the password itsself), and
>>I wouldn't recommend placing production tables in a DBA account,
>>or am I missing something??
 

>>Regards,
>>David TvE
>
>David,
>
>Michel is correct:
>
>23:33:18 avalon-v7sql> CREATE DATABASE LINK avalink2
>23:34:25 2 CONNECT TO scott IDENTIFIED BY tiger
>23:34:28 3 USING 'ava2_x7'
>23:34:32 4 /
>
>
>Database link created.
>
>23:34:33 avalon-v7sql> select * from USER_DB_LINKS;
>

I'm still not convinced that this is a problem. You performed your select on USER_DB_LINKS, which indeed shows the password. However USER_DB_LINKS can only be seen by the respective user and why shouldn't he be able to see his own passwords. If you perform the 'SELECT...' on the publicly available ALL_DB_LINKS the password is _not_ displayed. So why not just create a PUBLIC db_link and your problem is solved. Or again, am I missing something else???

Regards,
David TvE

---
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
David Thornewill von Essen                           Sr. Systems Analyst
Motorola ASIC Division                            I don't speak for Mot.
Chandler, AZ-85224                                   fax: (602) 814-4451
email: ttg242_at_email.sps.mot.com                      tel: (602) 814-4395
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-