Re: using set role command in a logon trigger -- got something implemented - now security question
- From: rjamya <rjamya@xxxxxxxxx>
- To: breitliw@xxxxxxxxxxxxx
- Date: Fri, 13 Apr 2007 07:19:36 -0400
Wolfgang,
true, but remember, the logon trigger will fire after you login and before
you get your prompt back to issue the exec dbms_application_info command.
Laura,
if you are that worried, revoke dbms_application_info from public and grant
it at the end of the trigger. Spoofing will require user to execute some
code, which obviously cannot be done until login process is complete.
Am I missing anything?
rjamya
On 4/12/07, Wolfgang Breitling <breitliw@xxxxxxxxxxxxx> wrote:
At 09:05 AM 4/12/2007, laura pena wrote:
>Just to provide feedback here, I actually got this implemented using
>the 10g feature creating application roles via schema packages.
>Thanks for the link below Sriram.
>
>The user is configured to execute a schema package created as the
>system user with AUTHID CURRENT_USER.
>
>The schema package uses sys_context to check the users environment
>module name to determine which application is running. If it's the
>"approved" module, permission to update,delete, insert into this
>schema are granted via dbms_session.set_role to the logged in user.
>
>The application itself needed to modified to call this stored
>procedure on login (it does more checks as well). All users allowed
>to user this application configured to use this stored procedure.
>
>Works great. Except now I have a security question?
>
>Can a user spoof the sys_context environment module name ?
>So say the user wants to have super privs within toad? Can he/she
>change the module toad.exe to the module name of the application.
>So they may have super privs to the applications tables now?
I am getting out on a limb here to say "most likely yes". How
difficult it is depends to some degree on how your sys_context
determines "the users environment module name".
If it's just from the program name that would be very easy to fake.
By just creating a copy of sqlplus as toad I get the following:
11:59:02 ora92.scott> exec print_table('select * from v$session where
sid=9'
SADDR : 30A6BB08
SID : 9
SERIAL# : 3594
AUDSID : 5325
PADDR : 30A41044
USER# : 40
USERNAME : SCOTT
COMMAND : 0
OWNERID : 2147483644
TADDR :
LOCKWAIT :
STATUS : ACTIVE
SERVER : DEDICATED
SCHEMA# : 40
SCHEMANAME : SCOTT
OSUSER : FERRARI\Wolfgang
PROCESS : 8036:7572
MACHINE : CENTREX\FERRARI
TERMINAL : FERRARI
PROGRAM : toad.exe
TYPE : USER
SQL_ADDRESS : 320733AC
SQL_HASH_VALUE : 2876145831
PREV_SQL_ADDR : 320733AC
PREV_HASH_VALUE : 2876145831
MODULE : SQL*Plus
MODULE_HASH : 3669949024
ACTION : 2007-04-12 11:55:54
ACTION_HASH : 1061060199
CLIENT_INFO :
FIXED_TABLE_SEQUENCE : 66
ROW_WAIT_OBJ# : 30146
ROW_WAIT_FILE# : 7
ROW_WAIT_BLOCK# : 0
ROW_WAIT_ROW# : 0
LOGON_TIME : 2007-04-12 11:55:52
LAST_CALL_ET : 0
PDML_ENABLED : NO
FAILOVER_TYPE : NONE
FAILOVER_METHOD : NONE
FAILED_OVER : NO
RESOURCE_CONSUMER_GROUP : DEFAULT_CONSUMER_GROUP
PDML_STATUS : DISABLED
PDDL_STATUS : ENABLED
PQ_STATUS : ENABLED
CURRENT_QUEUE_DURATION : 0
CLIENT_IDENTIFIER :
-----------------
The program name is now toad.exe, but the module is still sql*plus
because sqlplus sets it via a call to
dbms_application_info.set_module. In order to change that I need to
intercept that and change the value to something else. Not at all
impossible to do. Just depends on the determination and knowledge of
the developer.
Regards
Wolfgang Breitling
Centrex Consulting Corporation
www.centrexcc.com
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
--
//www.freelists.org/webpage/oracle-l
--
-----
Best regards
RJamya
-------------------------------------------
Other related posts:
