| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Access Limitation
Hi Daniel
a comment in-line:
In article <3E56AAD1.E6B908E4_at_exesolutions.com>, DA Morgan
<damorgan_at_exesolutions.com> writes
>Life Learner wrote:
>
>> Hi there,
>>
>> I'd like to know how to prevent end users from accessing system directly via
>> sqlplus, toad etc, while let them do their work only in application level
>> like forms, proc etc.
>>
>> thx.
>
>There are a number of methods. Among them:
>
>An after logon trigger that checks the connecting software ...
>
>SELECT program
>FROM v_$session;
>
This cannot be easily tricked by just renaming the sqlplus binary to the same name as the binary for the application as the following shows:
oracle:venus> sqlplus sys/change_on_install
SQL*Plus: Release 8.1.7.0.0 - Production on Sat Feb 22 20:47:13 2003
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning option
JServer Release 8.1.7.0.0 - Production
SQL> create user pete identified by pete;
User created.
SQL> grant create session to pete;
Grant succeeded.
SQL> grant select on v_$session to pete;
Grant succeeded.
SQL> connect pete/pete
Connected.
SQL> select program from v$session
2 where username='PETE';
PROGRAM
SQL> !cp $ORACLE_HOME/bin/sqlplus ./someapp
SQL> exit
Disconnected from Oracle8i Enterprise Edition Release 8.1.7.0.0 -
Production
With the Partitioning option
JServer Release 8.1.7.0.0 - Production
oracle:venus> ./someapp pete/pete
SQL*Plus: Release 8.1.7.0.0 - Production on Sat Feb 22 20:47:13 2003
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning option
JServer Release 8.1.7.0.0 - Production
SQL> select program from v$session
2 where username='PETE';
PROGRAM
SQL> I don't have a copy of toad here at present to check if renaming it has the same result.
Of course someone a bit more skilled could trick the database as without looking into TNS in more detail i suspect that the name of the program is sent as part of a TNS packet to the RDBMS, this could be changed, so relying on v$session is not 100% foolproof but it would certainly stop casual and normal business users.
I just thought i would share that little experiment to see how reliable v$session is as a checking mechanism for the source of program
Kind regards
Pete
-- Pete Finnigan Email : pete_at_peterfinnigan.demon.co.uk Email : pete_at_petefinnigan.com Web site: http://www.petefinnigan.com Independent consultant specialising in Oracle security. Pete Finnigan is the author of the recently published book about Oracle security from the SANS Institute "Oracle security Step-by-step (A survival guide for Oracle security)" - see http://store.sans.org for details. Some recently published articles include: http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part one" http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part two"Received on Sat Feb 22 2003 - 16:39:06 CST
 |
 |