Re: Trojan Horses in ORACLE 6 SQL*net connections

From: Andrew Jones (lrpr_at_unb.ca) <LRPR_at_UNB.CA>
Date: Wed, 15 Sep 1993 19:05:01 GMT
Message-ID: <15SEP93.16290407.0055_at_UNBVM1.CSD.UNB.CA>

In article <277f50$eou_at_pandora.sdsu.edu> oliver_at_io.nosc.mil (George Oliver) writes:
>I have a forms application that I developed for Macintoshes going against
>a Sun SS2 running ORACLE6. The application had to have as much security
>as was available at the time. So, I controlled access to the data by
>controlling the account the users log into. Essentially use the discretionary
>access control that is available in ORACLE6. In these accounts, I create
>synonyms that point to views in a master account. In the master account,
>the views are on the tables that the users ultimately access. So, with
>the views, I can control access to what data the user sees. On the tables,
>I can limit the kind of access the users have (select,insert,update,delete)
>and can also limit what columns can be affected (update option only). This
>application was coupled with a extensive administration package that can
>create and modify user accounts and thus access to the data. On the front
>end side, I use menu roles and several different forms that corrispond
>to the pseudo-roles I set up on the server.
>
>I don't know whether this completely addresses your problem but I thought it
>might help give you some ideas. If you have any questions, go ahead and
>email me or post to this news group.
>
>Regards,
>Geo.
>

This is generally what I had planned. The problem, of course, is that a reasonably sophisticated user might get hold of the Oracle user ID and password that the application uses to log in (at least, I haven't figured a way to prevent it, if they do something like log the network traffic for their workstation with a LAN sniffer or somesuch piece of software). The users, BTW, are clients outside my organization with PC's they have complete control of. Then, the Oracle permits that the user has for the application will allow them to do the same kinds of update using their own homegrown forms app. I think the product_user_profile table can limit what tools they can access with; I'm not sure if I can prevent 3rd party tools from working but oracle claims I can shut down sql*plus, for example. The problem is that in version 6 I don't have triggers to enforce referential integrity such as: "an insert to table A must only be done in conjunction with an insert to table B and an update to the correct column of table C". And version 7 is not an option, because it's not released with the procedural option for my platform yet (despite the salesperson's promises...).

Andrew Jones (LRPR_at_UNB.CA) "##include <standard disclaimer>"

|   "Give up, Earthlings!  Your superior   |
|  intelligence is no match for our puny   |
|  weapons!"                               |
|    (The Simpsons' Halloween II Aliens)   |
 ------------------------------------------

Received on Wed Sep 15 1993 - 21:05:01 CEST

This message: [ Message body ]
Next message: Jared Hecker: "WHAT'S THE BEST MACHI"
Maybe in reply to: Andrew Jones (lrpr_at_unb.ca): "Trojan Horses in ORACLE 6 SQL*net connections"
In reply to George Oliver: "Re: Trojan Horses in ORACLE 6 SQL*net connections"
Next in thread: Jared Hecker: "WHAT'S THE BEST MACHI"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message