| password file [message #62838] |
Wed, 18 August 2004 22:10  |
Ayham Wafai
Messages: 5
Registered: August 2004
|
Junior Member |
|
|
can any one with sufficient OS and/or network privs logon to a Oracle server and delete the old password file and create a newpassword file with a new password for user internal and log on to the database with the new password. Isnt that a great breach of security to the database. How can that be prevented?
Thank you.
|
|
|
|
| Re: password file [message #62845 is a reply to message #62838] |
Thu, 19 August 2004 01:08  |
Daljit Singh
Messages: 290
Registered: October 2003
Location: Texas
|
Senior Member |
|
|
Hi,
Well according to me database and OS both work along with each other to provide a adequate level of security. If you say "can any one with sufficient OS and/or network privs" it means the user is a valid OS user and if he or she delete the password file so it is definitely a security breach but in OS management not in DB. A valid OS user who belongs to oracle dba group can enter into Db without specifying any password, he doesn't need to delete and recreate the password file.
To rectify this create limited number of OS user who would be the member of oracle dba group. Grant appropriate access rights to the oracle files, so that only valid user can deal with them.
A strong OS user policy is required here.
Daljit Singh
|
|
|
|
| PWDORA and ORADIM Security Issues [message #62874 is a reply to message #62838] |
Fri, 20 August 2004 22:39 |
Ayham Wafai
Messages: 5
Registered: August 2004
|
Junior Member |
|
|
Thank you Daljit, I was quiet sure that this would be the issue after the
research I went through. Thank you again for confirming. Your reply
confirmed what I think is a serious problem.
I think this (intentionally or unintentionally) can be a source of trouble,
and Oracle should protect ORAPWD and ORADIM with a mechanism where the old
password must be mentioned in the ORAPWD command for the password file to be
recreated, and old Internal password also must be mentioned in the ORADIM
delete instance command for the instance to be deleted. I am sure you are
aware you can delete an instance and recreate it with a new internal
password which I am sure can send a DBA home upset (furious more like it) at
the end of the day.
Best Regards,
Ayham Wafai
|
|
|
|
| Re: password file [message #62875 is a reply to message #62845] |
Fri, 20 August 2004 23:09 |
Ayham Wafai
Messages: 5
Registered: August 2004
|
Junior Member |
|
|
|
Daljit, I don't think the OS user need to be a part of a Oracle DBA Group to be able to tamper with the password file. I am pretty concerned with this security issue and wonder if there is a good theory to prevent that. The same applies on deleting an instance using the command line ORADIM command. How are you dealing with this on production databases? Thank you in advance. Ayham
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
