Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> database security question
(Message started by: Pete Finnigan on Feb 27th, 2006, 10:05pm)

Title: database security question
Post by Pete Finnigan on Feb 27th, 2006, 10:05pm
If a database has no database links and is hacked, ie, access is gained to the database though a user account is there any way the hacker can access any other database in our environment either on the same server or a different server?

Background:
There is a new application running on this server (windows 2003) which the developers say requires logon by the system account (another issue). Some of my fellow dbas are ok giving them the system password because there is no data of any value in the database and there are no db links to any other databases. Therefore, the thinking goes, the only harm that can be done is to the server and the database which is not that big a deal (relatively). I don't like the idea of giving anyone outside the dba group the system password. I agree with the idea that if the database and/or server get hacked it's limited in scope and therefore not as big a concern as some other servers/databases., however, the thought of others knowing the system pw doesn't sit well with me.

We are running oracle ee 10g on this server.

Any feedback would be welcome.

Thanks.
Joe

Title: Re: database security question
Post by Pete Finnigan on Feb 28th, 2006, 10:16pm
Hi Joe,

You have two concerns here. First is that SYSTEM (i think you mean Oracle account not OS?) can create database links and secondly you should not be giving out powerful database accounts to staff outside of the database group.

If they log in as SYSTEM then they can also access the OS as system through various means, some of which can be used to gain shell access.

hth

Pete

Title: Re: database security question
Post by Pete Finnigan on Mar 1st, 2006, 8:15pm
Thanks, Pete. I did mean the oracle user system. I hadn't thought of the fact that system can create links even though it's obvious. I agree that others shouldn't know the system pswd.

BTW, turns out the application doesn't need the system account just a few more privs to the main app user. Makes me feel better about the app, too. No app should require the use of the system account.

Joe



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board