RE: DBLINKs in critical production system
- From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
- To: "Thotangare, Ajay \(GTI\)" <Ajay_Thotangare@xxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Tue, 01 May 2007 21:57:16 +0800
The "security hole" I am referring to is at two levels :
1. If the DBLink connects to the base schema (owning the tables) anyone
with access to the account owning the DBLink has full privileges on that
remote schema. That is -- an "Authorised" user in Database "A" would
implicitly gain privileges to do "unauthorised" things in Database "B" !
2. Yes, in pre-9i, there are ways to view the DBLink password.
So a DBA in Database "A" would be able to do "unauthorised" things in
Database "B" even if he does not have access to Database "B".
Hemant
At 09:31 PM Tuesday, Thotangare, Ajay \(GTI\) wrote:
Is "security hole" still applicable in 10g assuming no extra privileges
are given. In 10g password is encrypted in sys.link$
-----Original Message-----
From: Hemant K Chitale [mailto:hkchital@xxxxxxxxxxxxxx]
Sent: Tuesday, May 01, 2007 8:06 AM
To: Thotangare, Ajay (GTI); oracle-l@xxxxxxxxxxxxx
Subject: Re: DBLINKs in critical production system
<<deleted>>
1. If you create a DBLink connecting to the base schema (the schema
actually owning the tables being referenced)
then that is a big NO NO (read "Security Hole").
<<deleted>>
Hemant K Chitale
http://web.singnet.com.sg/~hkchital
and
http://hemantscribbles.blogspot.com
and
http://hemantoracledba.blogspot.com
"First they ignore you, then they laugh at you, then they fight you,
then you win" !"
Mohandas Gandhi Quotes
: http://www.brainyquote.com/quotes/authors/m/mohandas_gandhi.html
--
//www.freelists.org/webpage/oracle-l
Other related posts:
