RE: DBLINKs in critical production system

From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
To: "Thotangare, Ajay \(GTI\)" <Ajay_Thotangare@xxxxxx>, <oracle-l@xxxxxxxxxxxxx>
Date: Tue, 01 May 2007 21:57:16 +0800


The "security hole" I am referring to is at two levels :
1.  If the DBLink connects to the base schema (owning the tables) anyone
with access to the account owning the DBLink has full privileges on that
remote schema.  That is  -- an "Authorised"  user in Database "A"  would
implicitly gain privileges to do "unauthorised" things in Database "B" !
2.  Yes, in pre-9i, there are ways to view the DBLink password.
So a DBA in Database "A" would be able to do "unauthorised" things in
Database "B" even if he does not have access to Database "B".

Hemant

At 09:31 PM Tuesday, Thotangare, Ajay \(GTI\) wrote:

Is "security hole" still applicable in 10g assuming no extra privileges
are given. In 10g password is encrypted in sys.link$

-----Original Message-----
From: Hemant K Chitale [mailto:hkchital@xxxxxxxxxxxxxx]
Sent: Tuesday, May 01, 2007 8:06 AM
To: Thotangare, Ajay (GTI); oracle-l@xxxxxxxxxxxxx
Subject: Re: DBLINKs in critical production system

<<deleted>>
1.  If you create a DBLink connecting to the base schema  (the schema
actually owning the tables being referenced)
then that is a big NO NO (read "Security Hole").
<<deleted>>



Hemant K Chitale
http://web.singnet.com.sg/~hkchital
and
http://hemantscribbles.blogspot.com
and
http://hemantoracledba.blogspot.com

"First they ignore you, then they laugh at you, then they fight you,then you win" !"Mohandas Gandhi Quotes: http://www.brainyquote.com/quotes/authors/m/mohandas_gandhi.html


--
http://www.freelists.org/webpage/oracle-l

References:

RE: DBLINKs in critical production system
From: Thotangare, Ajay \(GTI\)

RE: DBLINKs in critical production system

Other related posts: