Re: Becoming a user - 10g issue

• From: Yong Huang <yong321@xxxxxxxxx>
• To: Mark Brinsmead <pythianbrinsmead@xxxxxxxxx>, jkstill@xxxxxxxxx
• Date: Thu, 21 Aug 2008 21:35:23 -0700 (PDT)

I'm glad you brought up the issue of auditing. Let me focus on the technical
aspect of it, and leave the non-technical discussion to managers or whoever
interested.

When you execute procedure anotheruser.procedurename as sys to create the db
link in his schema, dba_audit_trail by default will not record it (assuming
"audit create database link" was done earlier). It *is* a problem for auditing.
If that's the concern, or inconvenience in finding who did it, then the DBAs
should always use this trick when logged on as a DBA but not sys such as
system, because dba_audit_trail.username will show "SYSTEM" for this action.
Alternatively, just enable audit_sys_operations if sys should be monitored.

Yong Huang

--- Mark Brinsmead <pythianbrinsmead@xxxxxxxxx> wrote:

> Yes.  You can use this trick to do just about anything as any user -- all
> you need is create any procedure and execute any procedure.
> 
> Of course, if auditors are likely to complain about (mis-)use of ALTER USER,
> what are they likely to say about this.
> 
> Apply caution -- in may places performing actions like either of these
> without proper authorization can be firing offenses, or worse, could even
> result in criminal prosecution!  (And simply having the necessary privileges
> is *not* authorization!)
> 
> On Thu, Aug 21, 2008 at 4:09 PM, Jared Still <jkstill@xxxxxxxxx> wrote:
> 
> > Clever solution.
> >
> > On Thu, Aug 21, 2008 at 1:54 PM, Yong Huang <yong321@xxxxxxxxx> wrote:
> >
> >> What I usually do to create a private DB link or stop or start another
> >> user's
> >> DBMS job, is to create a temporary procedure in that schema:
> >>
> >> conn system
> >> create or replace procedure yhuang.p as
> >> begin
> >>  execute immediate 'create database link remotedb
> >>  connect to remoteuser identified by thepassword using ''remotedb''';
> >> end;
> >> /
> >> exec yhuang.p
> >> drop procedure yhuang.p;
> >>
> >> The advantage is you don't change that user's password even for a
> >> subsecond. So
> >> there's no risk in that respect.
> >>
> >> I wish Oracle would support "create database link theuser.linkname...", or
> >> give
> >> us a general method as Windows's "Run as" functionality.
> >>
> >>
> > --
> > Jared Still
> > Certifiable Oracle DBA and Part Time Perl Evangelist
> >
> >
> 
> 
> -- 
> Cheers,
> -- Mark Brinsmead
> Senior DBA,
> The Pythian Group
> http://www.pythian.com/blogs
> 



      
--
//www.freelists.org/webpage/oracle-l

• References:
  • Re: Becoming a user - 10g issue
    • From: Mark Brinsmead

Other related posts:

• » Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue
• » Re: Becoming a user - 10g issue

1. Home
2. oracle-l
3. Archive
4. 08-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---