RE: Privileges by session
- From: D'Hooge Freek <Freek.DHooge@xxxxxxxxx>
- To: "adar666@xxxxxxxxxxxx" <adar666@xxxxxxxxxxxx>, "jkstill@xxxxxxxxx" <jkstill@xxxxxxxxx>
- Date: Wed, 13 Jan 2010 11:07:19 +0100
Checking the name of the application is pointless as it is so easy to fool.
You only need to change the name of the application:
C:\>rename c:\oracle\product\10.2.0\client_1\BIN\sqlplus.exe sqlplus2.exe
C:\>sqlplus2 sys@xxxxxxxxxxxxxxxxxxxxx as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on Wed Jan 13 11:04:51 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning and Data Mining options
INSTANCE_NAME HOST_NAME STATUS
---------------- ------------------------------ ------------
GUNNAR dargo.farscape OPEN
sys@GUNNAR> select program from v$session where sid = (select distinct sid from
v$mystat);
PROGRAM
------------------------------------------------
sqlplus2.exe
regards,
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge@xxxxxxxxx
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer
________________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Yechiel Adar
Sent: dinsdag 12 januari 2010 18:40
To: jkstill@xxxxxxxxx
Cc: wblanchard@xxxxxxxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: Privileges by session
Sure, but:
1) How many are worth employment? :-)
2) Adding check on the source, that should be production servers that the
developers has no access to, will help.
Adar Yechiel
Rechovot, Israel
Jared Still wrote:
On Tue, Jan 12, 2010 at 4:54 AM, Yechiel Adar <adar666@xxxxxxxxxxxx> wrote:
2) Put in a login trigger that will fail all logon with the application user
but with other programs like SQLPLUS or TOAD.
Any developer worth employing can circumvent a trigger that checks executable
names.
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Oracle Blog: http://jkstill.blogspot.com
Home Page: http://jaredstill.com
--
//www.freelists.org/webpage/oracle-l
Other related posts:
- » Privileges by session- Blanchard, William
- » Re: Privileges by session- lyallbarbour
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Jackie Brock
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Christopher Boyle
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Jackie Brock
- » Re: Privileges by session- Kellyn Pedersen
- » RE: Privileges by session- Blanchard, William
- » RE: Privileges by session- Blanchard, William
- » Re: Privileges by session- Jared Still
- » RE: Privileges by session- Blanchard, William
- » Re: Privileges by session- Michael Fontana
- » RE: Privileges by session- Blanchard, William
- » Re: Privileges by session- Jared Still
- » RE: Privileges by session- Blanchard, William
- » Re: Privileges by session- Andre van Winssen
- » RE: Privileges by session- Barun, Vlado
- » Re: Privileges by session- Jared Still
- » Re: Privileges by session- Robert Freeman
- » RE: Privileges by session- Andre van Winssen
- » Re: Privileges by session- Joan Hsieh
- » Re: Privileges by session- Thomas A. La Porte
- » Re: Privileges by session- Michael Fontana
- » Re: Privileges by session- Martin Berger
- » RE: Privileges by session- Upendra N
- » Re: Privileges by session- Martin Bach
- » Re: Privileges by session- Pete Finnigan
- » Re: Privileges by session- Peter Hitchman
- » RE: Privileges by session- Joel.Patterson
- » RE: Privileges by session- Barun, Vlado
- » Re: Privileges by session- Kellyn Pedersen
- » RE: Privileges by session- GovindanK
- » Re: Privileges by session- Pete Finnigan
- » Re: Privileges by session- Yechiel Adar
- » Re: Privileges by session- Jared Still
- » Re: Privileges by session- Yechiel Adar