Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "New paper from Aaron Newman - Search Engines used to attack the database"] [Next entry: "Another undocumented parameter in use (_ash_enable)"]

A password repository for Oracle

I came across an interesting piece of software on sourceforge last night called OPR (Oracle Password Repository). This is software that is intended to be able to replace the hard coding of Oracle usernames and passwords in SQL or shell or perl (or any other type ... of scripts). The software uses a repository to store information about database instances, usernames, os username, password etc. Then when calling a tool such as SQL*Plus from a script you instead call OPR to get the users password to enable a login to the database.

The repository is owned by the owner of the Oracle software (or any other user you choose) and only this user can read and write the repository. It is possible to grant other OS users access to read and write the repository as well if required. It is also possible to grant specific database users the right to get another databases users password. Also control can be made at the os user level so that the person calling OPR must be logged in as the correct OS user.

The software can also sync itself with the database so that users and passwords are aligned. This is done by OPR attempting a login to the relevant database. It is possible to change database passwords using OPR so that they remain in sync.

The repository has the setuid bit enabled so that all users can execute the tool.

The Oracle Password Repository (OPR) home page is here and the OPR software can be downloaded from here.

I also talked about the same issue recently in a post titled "A script to call SQL*Plus without hard coding passwords" and I have also updated the free section of my Oracle security tools page to include OPR.

I know that the repository is owned by the software owner or some other designated user but thee could be major problems with this solution. The first is that there would be one file containing all relevant usernames and passwords. The file is suitably protected BUT, if it were obtained then the usernames and passwords, database instances etc could be obtained and hacked. There would also be a tendency for users of OPR to add usernames and passwords just in case. There are many known ways to read and write files owned by the oracle software owner from within the database. This would mean that the supposed protection of only the software owner being able to read the file would be invalid, in fact worse than having the passwords stored in a file owned by root for instance. A hacker could remotely attack the repository and get all the users details including passwords.

That said, this is still useful software that solves a particular problem - password leakage from scripts, either on the command line or via reading the scripts. If OPR is used then the absolute minimum number of usernames and passwords must be added to it. Ideally one user. The privileges of users in this repository should be held at the minimum - least privilege principle. The database must be secured. See the checklists on my Oracle security papers page. All avenues of reading OS files from within the database must be closed. Ideally the owner of the OPR repository should not be the owner of the Oracle software or the owner of the running Oracle instance. This should help prevent access to the repository from within the database. Also consider the use of an external account but only locally for scripts and batches. This again should follow the least privilege principle.