Re: ? security leak in Oracle7.1 on WindowsNT ?

From: Akira Hashimoto <akira_at_st.jip.co.jp>
Date: 1995/09/08
Message-ID: <1995Sep8.041420.22699_at_st.jip.co.jp>#1/1


In article <DEC2qq.4H3_at_inter.NL.net>, Kees Verruijt <kees_at_redwood.nl> says:
>
>>
>> I'm using Oracle7 Server Release 7.1.3.3.6 - Production Release
>> on WindowsNT 3.5.1.
>>
>> After adding the value DBA_AUTHORIZATION:REG_SZ:BYPASS
>> to the NT-registry-key /HKEY_LOCAL_MACHINE/SOFTWARE/ORACLE
>> sqldba allows me to 'connect internal' without password checking.
>> ( Without the entry a password is required to connect internal )
>>
>> The problem is, that AFAIK ANY(!?) user with permission to
>> 'log on locally' can edit this part of the registry and so
>> can 'grant' himself unlimited access to the database.
>>
>> Do you consider this to be a security leak or do you know how to
>> prevent a 'normal' user from manipulating this part of the
>> registry? Is this behaviour a feature or a bug that will be fixed
>> in coming releases?
>>
>> ( Interestingly, as I tried the same entry on
>> Oracle7 Workgroup Server Release 7.1.3.3.3 - Production Release
>> on WinNT3.5 it seemed to have no effect, the sqldba of this release
>> ignores the entry and still requires a password to connect internal. )
>
>I suppose you mistyped something: we're using 7.1.3.3.3 and it
>works fine with the BYPASS value (ie without requiring the password).
>
>>
>> Thanks

Well, you may find the menu called "Security" on REGEDT32.EXE, and restrict to edit a key. Received on Fri Sep 08 1995 - 00:00:00 CEST

Original text of this message