Home » RDBMS Server » Security » password file
password file [message #62838] Wed, 18 August 2004 22:10 Go to next message
Ayham Wafai
Messages: 5
Registered: August 2004
Junior Member
can any one with sufficient OS and/or network privs logon to a Oracle server and delete the old password file and create a newpassword file with a new password for user internal and log on to the database with the new password. Isnt that a great breach of security to the database. How can that be prevented?

Thank you.
Re: password file [message #62845 is a reply to message #62838] Thu, 19 August 2004 01:08 Go to previous messageGo to next message
Daljit Singh
Messages: 290
Registered: October 2003
Location: Texas
Senior Member
Hi,

Well according to me database and OS both work along with each other to provide a adequate level of security. If you say "can any one with sufficient OS and/or network privs" it means the user is a valid OS user and if he or she delete the password file so it is definitely a security breach but in OS management not in DB. A valid OS user who belongs to oracle dba group can enter into Db without specifying any password, he doesn't need to delete and recreate the password file.

To rectify this create limited number of OS user who would be the member of oracle dba group. Grant appropriate access rights to the oracle files, so that only valid user can deal with them.

A strong OS user policy is required here.

Daljit Singh
PWDORA and ORADIM Security Issues [message #62874 is a reply to message #62838] Fri, 20 August 2004 22:39 Go to previous messageGo to next message
Ayham Wafai
Messages: 5
Registered: August 2004
Junior Member
Thank you Daljit, I was quiet sure that this would be the issue after the
research I went through. Thank you again for confirming. Your reply
confirmed what I think is a serious problem.

I think this (intentionally or unintentionally) can be a source of trouble,
and Oracle should protect ORAPWD and ORADIM with a mechanism where the old
password must be mentioned in the ORAPWD command for the password file to be
recreated, and old Internal password also must be mentioned in the ORADIM
delete instance command for the instance to be deleted. I am sure you are
aware you can delete an instance and recreate it with a new internal
password which I am sure can send a DBA home upset (furious more like it) at
the end of the day.

Best Regards,

Ayham Wafai
Re: password file [message #62875 is a reply to message #62845] Fri, 20 August 2004 23:09 Go to previous message
Ayham Wafai
Messages: 5
Registered: August 2004
Junior Member
Daljit, I don't think the OS user need to be a part of a Oracle DBA Group to be able to tamper with the password file. I am pretty concerned with this security issue and wonder if there is a good theory to prevent that. The same applies on deleting an instance using the command line ORADIM command. How are you dealing with this on production databases? Thank you in advance. Ayham
Previous Topic: auditing tables - read-only access
Next Topic: schema access
Goto Forum:
  


Current Time: Tue Nov 30 12:42:06 CST 2021