MIME-Version: 1.0
In-Reply-To: <TU4PR84MB020639612E0EC3826DE052F0CC3B0@TU4PR84MB0206.NAMPRD84.PROD.OUTLOOK.COM>
References: <577D96E8.60502@gmail.com> <CAC540oiLsoSZ+26yqv0ecmFq8P__4+NbGQUPjQgLqGqjZPkEGQ@mail.gmail.com>
 <577DA534.2090905@gmail.com> <CADo_RaP=DgVAr6SsqF8WX+JNsyyBHBCqY+_BtW6XoZT05Kd_Ww@mail.gmail.com>
 <016201d1d808$763be5f0$62b3b1d0$@comcast.net> <CAP79kiTUN+7bixhP30F0CMH90+RdeWtBE7BAWSUH8b3kOvDuLA@mail.gmail.com>
 <CADo_RaMmO1hTeKfD3DoTZuQKLKU5+sbJ11fwm8mHYMUEs5JQmA@mail.gmail.com> <TU4PR84MB020639612E0EC3826DE052F0CC3B0@TU4PR84MB0206.NAMPRD84.PROD.OUTLOOK.COM>
From: Andrew Kerber <andrew.kerber@gmail.com>
Date: Thu, 7 Jul 2016 09:26:58 -0500
Message-ID: <CAJvnOJYUx-597WkN7jxVtk2uBFwqr40VeH_YFP48caKnVBZCcg@mail.gmail.com>
Subject: Re: Passwords in DBA_USERS (Oracle 12c)
To: mark.powell2@hpe.com
Cc: Chris Taylor <christopherdtaylor1994@gmail.com>, 
 "andy@oracledepot.com" <andy@oracledepot.com>, 
 "dimensional.dba@comcast.net" <dimensional.dba@comcast.net>, Mladen Gogala <gogala.mladen@gmail.com>, 
 oracle-l <oracle-l@freelists.org>
Content-Type: multipart/alternative; boundary=001a1149d29893114c05370c7ab7
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
Precedence: normal
Reply-To: andrew.kerber@gmail.com
--001a1149d29893114c05370c7ab7
Content-Type: text/plain; charset=UTF-8

Yes.  Until programmers learn to include functionality that allows
passwords to be changed easily on the mid tier, the DBA or designated
security personnel must be able to change a password and take it back to
what it was.

On Thu, Jul 7, 2016 at 9:20 AM, Powell, Mark <mark.powell2@hpe.com> wrote:

> Andy, I will disagree that it is absurd for Oracle to allow a means for a
> 'privileged' user to be able to change another's users password hash
> because without such a method how would an existing user with their
> existing password be migrated to another database?
>
> ________________________________
> From: oracle-l-bounce@freelists.org <oracle-l-bounce@freelists.org> on
> behalf of Andy Klock <andy@oracledepot.com>
> Sent: Thursday, July 7, 2016 9:32:56 AM
> To: Chris Taylor
> Cc: dimensional.dba@comcast.net; Mladen Gogala; oracle-l
> Subject: Re: Passwords in DBA_USERS (Oracle 12c)
>
> All your points are valid Chris.  My absurdity comment is about the Oracle
> software allowing someone to log into someone else's account and then reset
> the password back to its previous state. This is a gaping security hole
> that should be filled. Removing PASSWORD from DICTIONARY access was a step
> in the right direction. Those hashes shouldn't be considered unbreakable.
>
> Didn't meant to imply that the Mladen was doing anything wrong.
>
> On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor <
> christopherdtaylor1994@gmail.com<mailto:christopherdtaylor1994@gmail.com>>
> wrote:
> Having the password "somewhere" is important so I'm not sure if Andy is
> suggesting it's absurd to have it anywhere in the database or not.  But for
> at least one case it's terribly important and that is supporting legacy
> applications.
>
> Sometimes you need to be able to login as an application schema to create
> an object such as a materialized view or database link that is either
> exceptionally difficult or impossible to do UNLESS you are logged in as the
> schema owner.
> The DBA may not have access to the schema password but can preserve the
> password by looking at sys.user$ for the encrypted password, temporarily
> change it, create the object (db link or MV), then change the password back
> without ever affecting the application (or briefly affecting the
> application at least).
>
> Thanks,
> Chris
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>


-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--001a1149d29893114c05370c7ab7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Yes.=C2=A0 Until programmers learn to include functionalit=
y that allows passwords to be changed easily on the mid tier, the DBA or de=
signated security personnel must be able to change a password and take it b=
ack to what it was.<br></div><div class=3D"gmail_extra"><br><div class=3D"g=
mail_quote">On Thu, Jul 7, 2016 at 9:20 AM, Powell, Mark <span dir=3D"ltr">=
&lt;<a href=3D"mailto:mark.powell2@hpe.com" target=3D"_blank">mark.powell2@=
hpe.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D=
"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Andy, I wil=
l disagree that it is absurd for Oracle to allow a means for a &#39;privile=
ged&#39; user to be able to change another&#39;s users password hash becaus=
e without such a method how would an existing user with their existing pass=
word be migrated to another database?<br>
<br>
________________________________<br>
From: <a href=3D"mailto:oracle-l-bounce@freelists.org">oracle-l-bounce@free=
lists.org</a> &lt;<a href=3D"mailto:oracle-l-bounce@freelists.org">oracle-l=
-bounce@freelists.org</a>&gt; on behalf of Andy Klock &lt;<a href=3D"mailto=
:andy@oracledepot.com">andy@oracledepot.com</a>&gt;<br>
Sent: Thursday, July 7, 2016 9:32:56 AM<br>
To: Chris Taylor<br>
Cc: <a href=3D"mailto:dimensional.dba@comcast.net">dimensional.dba@comcast.=
net</a>; Mladen Gogala; oracle-l<br>
<span class=3D"">Subject: Re: Passwords in DBA_USERS (Oracle 12c)<br>
<br>
</span><span class=3D"">All your points are valid Chris.=C2=A0 My absurdity=
 comment is about the Oracle software allowing someone to log into someone =
else&#39;s account and then reset the password back to its previous state. =
This is a gaping security hole that should be filled. Removing PASSWORD fro=
m DICTIONARY access was a step in the right direction. Those hashes shouldn=
&#39;t be considered unbreakable.<br>
<br>
Didn&#39;t meant to imply that the Mladen was doing anything wrong.<br>
<br>
</span><span class=3D"">On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor &lt;<a=
 href=3D"mailto:christopherdtaylor1994@gmail.com">christopherdtaylor1994@gm=
ail.com</a>&lt;mailto:<a href=3D"mailto:christopherdtaylor1994@gmail.com">c=
hristopherdtaylor1994@gmail.com</a>&gt;&gt; wrote:<br>
Having the password &quot;somewhere&quot; is important so I&#39;m not sure =
if Andy is suggesting it&#39;s absurd to have it anywhere in the database o=
r not.=C2=A0 But for at least one case it&#39;s terribly important and that=
 is supporting legacy applications.<br>
<br>
Sometimes you need to be able to login as an application schema to create a=
n object such as a materialized view or database link that is either except=
ionally difficult or impossible to do UNLESS you are logged in as the schem=
a owner.<br>
The DBA may not have access to the schema password but can preserve the pas=
sword by looking at sys.user$ for the encrypted password, temporarily chang=
e it, create the object (db link or MV), then change the password back with=
out ever affecting the application (or briefly affecting the application at=
 least).<br>
<br>
Thanks,<br>
Chris<br>
<br>
<br>
</span>--<br>
<a href=3D"http://www.freelists.org/webpage/oracle-l" rel=3D"noreferrer" ta=
rget=3D"_blank">http://www.freelists.org/webpage/oracle-l</a><br>
<br>
<br>
</blockquote></div><br><br clear=3D"all"><br>-- <br><div class=3D"gmail_sig=
nature" data-smartmail=3D"gmail_signature">Andrew W. Kerber<br><br>&#39;If =
at first you dont succeed, dont take up skydiving.&#39;</div>
</div>

--001a1149d29893114c05370c7ab7--
--
http://www.freelists.org/webpage/oracle-l