tag:blogger.com,1999:blog-13265058.post8697037110005887486..comments2023-10-28T23:33:56.980+11:00Comments on Sydney Oracle Lab: EXPIRED AND LOCKED...but still DANGEROUSSydOraclehttp://www.blogger.com/profile/08828771074492585943noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13265058.post-1998610847798746302010-11-05T10:19:48.132+11:002010-11-05T10:19:48.132+11:00Actually, I've been probing further. Looks lik...Actually, I've been probing further. Looks like the missing link is "WWV_DBMS_SQL", which is a SYS owned package with a dependency on DBMS_SYS_SQL which has EXECUTE granted to APEX_040000.<br /><br />Oh, and contains PARSE_AS_USER as a procedureSydOraclehttps://www.blogger.com/profile/08828771074492585943noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-83040063706519421512010-11-02T16:26:32.349+11:002010-11-02T16:26:32.349+11:00Along a similar vein, I generally do *not* lock ac...Along a similar vein, I generally do *not* lock accounts, but set their passwords to something that can never be entered by the user. eg<br /><br />alter user BLAH identified by values 'not-possible';<br /><br />The justification for this is that someone snooping around for access to your db, will get:<br /><br />ORA-28000: the account is locked<br /><br />for a locked account. Straight away - they now know that account exists, possibly opening up an avenue to exploit that account in some way. <br /><br />With the impossible password, they will get:<br /><br />ORA-01017: invalid username/password<br /><br />which yields no such clues<br /><br />Cheers<br />ConnorConnor McDonaldhttps://www.blogger.com/profile/06246356571229889735noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-27234871456962851752010-11-02T08:56:51.146+11:002010-11-02T08:56:51.146+11:00Noons,
The classic Oracle security model of passw...Noons,<br /><br />The classic Oracle security model of passwords tied to a user tied to a schema tied to a bunch of SQLs in the shared pool is, I think, outdated. It is hard to scale to hundreds of concurrent users, let alone more. <br />Hard parsing the same query for FRED as for BARNEY when they are both have the same roles and privs just doesn't cut it any more.<br /><br />That said, I'd LOVE to see the equivalent of the Network ACL security model applied to DBMS_SYS_SQL. That way, you could grant DBMS_SYS_SQL just for specific target schemas the same way as you can grant UTL_HTTP for specific domains.<br /><br />Probably have to expand this in another post.SydOraclehttps://www.blogger.com/profile/08828771074492585943noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-66953017690966491192010-11-02T08:34:52.300+11:002010-11-02T08:34:52.300+11:00Niall,
While Apex doesn't have permissions on...Niall,<br /><br />While Apex doesn't have permissions on DBMS_SYS_SQL, it does have XMLDB as a pre-requisite.<br />http://download.oracle.com/docs/cd/E17556_01/doc/install.40/e15513/pre_require.htm#BABICIHB<br /><br />And XMLDB does have execute permissions on DBMS_SYS_SQL. <br /><br />While the ALTER SESSION command can change the current schema, there's nothing in the ALTER SESSION privilege that would give a database session connected as FRED (or ANONYMOUS or APEX_PUBLIC_USER) to perform DML or DDL as a different user.SydOraclehttps://www.blogger.com/profile/08828771074492585943noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-1799563135077040072010-11-02T08:05:54.673+11:002010-11-02T08:05:54.673+11:00Good catch. Having a few problems with this whole ...Good catch. Having a few problems with this whole rigmarole and SQL Worksheet at the moment...<br /><br />This is the generic problem of a product subverting the security of the underlying database engine. It happens with a lot of others, not just Apex.<br /><br />What could have possessed the Apex designers to come up with their own logins, rather than simply going through the Oracle security and creating/dropping users as needed? <br />What, the product is gonna be "portable" now?...Noonshttps://www.blogger.com/profile/07694829378563989648noreply@blogger.comtag:blogger.com,1999:blog-13265058.post-82899121019059372982010-11-01T20:50:26.364+11:002010-11-01T20:50:26.364+11:00Hi Gary,
I imagine it's done via ALTER SESSIO...Hi Gary,<br /><br />I imagine it's done via ALTER SESSION (a privilege which apex 4.0 has ) rather than DBMS_SYS_SQL which APEX 4.0 doesn't have execute privileges on.Niallhttps://www.blogger.com/profile/07109750882834293686noreply@blogger.com