? security leak in Oracle7.1 on WindowsNT ?

From: Reinhard Kuhn <rek_at_cas-ps.com>
Date: 1995/08/31
Message-ID: <4244e6$om6_at_fred.cas-ps.com>#1/1


I'm using Oracle7 Server Release 7.1.3.3.6 - Production Release on WindowsNT 3.5.1.

After adding the value DBA_AUTHORIZATION:REG_SZ:BYPASS to the NT-registry-key /HKEY_LOCAL_MACHINE/SOFTWARE/ORACLE sqldba allows me to 'connect internal' without password checking.
( Without the entry a password is required to connect internal )

The problem is, that AFAIK ANY(!?) user with permission to  'log on locally' can edit this part of the registry and so  can 'grant' himself unlimited access to the database.

Do you consider this to be a security leak or do you know how to prevent a 'normal' user from manipulating this part of the registry? Is this behaviour a feature or a bug that will be fixed  in coming releases?

( Interestingly, as I tried the same entry on
  Oracle7 Workgroup Server Release 7.1.3.3.3 - Production Release  on WinNT3.5 it seemed to have no effect, the sqldba of this release  ignores the entry and still requires a password to connect internal. )

Thanks

-- 
    _/_/_/   _/_/_/ _/    _/  // Reinhard Kuhn             /  It can be      
   _/    _/ _/     _/  _/    //         (kuhn_at_cas-ps.com) /  done quickly,   
  _/_/_/   _/_/_/ _/_/      // CAS GmbH                  /  cheaply or well  
 _/  _/   _/     _/  _/    // Lemberger Strasse 14      /   - pick any two!  
_/   _/  _/_/_/ _/    _/  // 66955 Pirmasens, Germany  /   
                                   
Received on Thu Aug 31 1995 - 00:00:00 CEST

Original text of this message