one of the nicer little features of 9i is that those accounts come "locked" when you build the database. The set of privileges for each has also been greatly restricted.
--- Stephane Faroult <[EMAIL PROTECTED]> wrote: > "Deshpande, Kirti" wrote: > > > > We use REMOTE_OS_AUTHENT in many of our databases. I know we > shouldn't do > > this, but we have to, and that's another topic... > > > > We also use a specific auth prefix. > > > > Now, can someone show me how a Windoze user, 'GOD' get in the > database when > > I do not have a user, '<Auth_Prefix>GOD' in my database. > > > > I say, I have nothing to worry about this setup as long as 'GOD' > user in my > > database is controlled appropriately via roles, grants, profile > etc.... > > > > Sure, if I had <auth_prefix>GOD in the database, I will be looking > for > > another job.... > > Right? > > > > - Kirti > > > > The problem as I see it is that it's fairly easy to get the names of > users on a database. The number of databases you can connect to using > dbsnmp/dbsnmp or outln/outln is desperately high, and from there you > can > query ALL_USERS. I must say that I am truly hopeless with any > Microsoft > OS, so you could safely let me with admin rights on the box when I > feel > at my most mischievous. But imagine I come with Linux on my laptop, I > plug (like many 'nomad' users often do) into your network, manage to > connect (as a less-than-nothing user), check the user list, spot > something looking like a prefix, and use this information to add with > linuxconf a suitably named account to my machine? I am certain that > in > your case everything is correctly fenced, but I have met many many > many > databases where the standard in terms of grants was 'TO PUBLIC', and > where database links were PUBLIC as well, and usually connected to > the > other database as the owner of most tables (even as DBA). > IMHO, if you really want to be secure, you must first know Oracle and > your environment well, and also audit sensitive information. > > -- > Regards, > > Stephane Faroult > Oriole Ltd > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Stephane Faroult > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).