Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> sys.link$
(Message started by: Pete Finnigan on Jun 23rd, 2010, 11:17am)

Title: sys.link$
Post by Pete Finnigan on Jun 23rd, 2010, 11:17am
Hi, am I correct in stating that although sys.link$ pre Oracle10g is available only to sys, not all dba’s should have access to passwords of fixed database links therefore there is a security risk

Title: Re: sys.link$
Post by Pete Finnigan on Jun 28th, 2010, 9:41am
Hi,

Yes you are correct. There are a number of more subtle issues here. The first is that a lot of sites by default allow DBA's access to SYS and SYSTEM and of course SYS can view this table and see passwords pre 10g and decrypt them post 10gR2. The more subtle issue is that in designing your DNA roles you must take care to not effectively make anoither SYS or allow easy access to SYS.

Also in this case you must review existing links and why they exist. There should be no PUBLIC links. Also remember that a fixed link with a password is better in one sense in that if you chose to use a concurrent or connected user link you are effectively saying its OK to set the same password in multiple databases. My view is seperate passwords, links ONLY if you absolutely need them, they must be private and only SYSDBA should be able to read LINK$.

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board