Re: oracle authentication from windows
Beth when the whole setup uses a workgroup and people log into their local machines rather than being authenticated by a domain server ? - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 03:34 : : No, that's not true. It actually uses your NT security token to : validate that you are authenticated in the domain. You can't just give : a rogue PC the same domain name, boot it up, and log into the database : with external authentication. The PC would have to be a domain member, : which means you have to have the domain admin password to join the : domain, along with the users password so that you could log into the : domain as them. The same is not true if you use another prefix such as : OPS$. : : : -Original Message- : Sent: Friday, June 20, 2003 4:00 PM : To: Multiple recipients of list ORACLE-L : : : Beth, : : You are right in stating that OPS$ accounts are not inherently insecure. : : How is teh inclusion of domain name any more secure than using OPS$? : Granted, the hacker has to guess the domain name in addition to user : name, but so is using any other prefix other than OPS$. : : Besides if the users are not static, the domain names will be different. : How will you address that issue? For instance, you domina name is : MYCODOMAIN1 and your windows userid is mycodomain1\bseefelt, so the : Oracle userid, as you propose should be "mydomain\bseeth". If you login : to another domain, say, MYDOMAIN2, this account is no longer valid. So, : I would say, mixing domains with username may not be a good idea, unless : ofourse you have a single domain. : : Arup : : : - Original Message - : To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> : Sent: Friday, June 20, 2003 10:10 AM : : : > : > I disagree. Remote OS authentication is not inherently insecure in : > Windows like it is in Unix. If you prefix the account names with the : > domain name, a user would not only have to spoof the username, he : > would have to spoof the domain name too. At that point, you probably : > have bigger problems than access to your database. Also, in that : > situation, only the security token is going over the network, not your : : > password in clear text. The caveat is that you should be using the : > *domain name* as the prefix, not OPS$. : > : > -Original Message- : > Sent: Friday, June 20, 2003 6:20 AM : > To: Multiple recipients of list ORACLE-L : > : > : > Hi Arup, : > : > Remote OS authentication whether with OPS$ or not is still a risk. You : : > are intimating that SYSTEM is the only risky account involved here. : > What if any of the newly created OPS$ accounts have useful privileges. : : > I have seen a similar application to the one described recently. There : : > were forms within the application for administration and user : > management (in oracle, not the application) and the users who had : > access to these were assigned the DBA role and were of course external : : > accounts. : > : > I think what you should add to your comment is that the issue is : > overrated is that any OPS$ / external accounts should not have any : > dangerous privileges granted and certainly not DBA. If you can guess : > the name of an admin account even if its OPS$ then the issue is still : > severe. : > : > cheers : > : > Pete : > : > -- : > Pete Finnigan : > email:[EMAIL PROTECTED] : > Web site: http://www.petefinnigan.com - Oracle security audit : > specialists Book:Oracle security step-by-step Guide - see : > http://store.sans.org for details. : > : > -- : > Please see the official ORACLE-L FAQ: http://www.orafaq.net : > -- : > Author: Pete Finnigan : > INET: [EMAIL PROTECTED] : > : > Fat City Network Services-- 858-538-5051 http://www.fatcity.com : > San Diego, California-- Mailing list and web hosting services : > - : > To REMOVE yourself from this mailing list, send an E-Mail message : > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in : > the message BODY, include a line containing: UNSUB ORACLE-L (or the : > name of mailing list you want to be removed from). You may also send : > the HELP command for other information (like subscribing). : > -- : > Please see the official ORACLE-L FAQ: http://www.orafaq.net : > -- : > Author: Seefelt, Beth : > INET: [EMAIL PROTECTED] : > : > Fat City Network Services-- 858-538-5051 http://www.fatcity.com : > San Diego, California-- Mailing list and web hosting services : > - : > To REMOVE yourself from this mailing list, send an E-Mail message : > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in : > the message BODY, include a line containing: UNSUB ORACLE-L (or the : > name of mailing list you want to be removed from). You may also send : > the HELP command for other information (like
Re: IO Topology Anyone???
Hi! It just adds one more tab "storage layout" to your OEM console. If you are running on EMC you can drill down physical storage information to see on which disks your datafiles actually reside. I haven't heard that they have it for Veritas yet... but I've not worked with it either, EMC has its own tool for same kind of thing anyway. Tanel. - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 6:39 AM > > Robert, > > Have any URL's to explain this? > > Anything to do with Oracle Managed Files? > > Jared > > On Thursday 19 June 2003 10:55, Freeman Robert - IL wrote: > > Anyone use the IO Topology features with Oracle9iR2 and Veritas? Does > > Veritas have a mapping file that you can use with this feature? (I've posed > > the same question with Veritas, so it's a race to the answer!) Any > > experiences you can share about this feature? > > > > Robert -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Tanel Poder INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: IO Topology Anyone???
I don't have URL, but you can find what it's all about in the Metalink note: Doc ID: Note:177498.1 Type: BULLETIN Status: PUBLISHED Content Type: TEXT/PLAIN Creation Date: 23-FEB-2002 Last Revision Date: 08-APR-2003 On 2003.06.22 23:39, Jared Still wrote: Robert, Have any URL's to explain this? Anything to do with Oracle Managed Files? Jared On Thursday 19 June 2003 10:55, Freeman Robert - IL wrote: > Anyone use the IO Topology features with Oracle9iR2 and Veritas? Does > Veritas have a mapping file that you can use with this feature? (I've posed > the same question with Veritas, so it's a race to the answer!) Any > experiences you can share about this feature? > > Robert -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Mladen Gogala Oracle DBA -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: oracle authentication from windows
Hello arup , I am using oracle 9.2.0.1.0 enterprise edition on windows xp my os_authent_prefix='' (I know , after reading your post , that its a security flaw ,but since this is just a test database on a single computer not on the network, let it be ) : Are you logging in the server through TPCIP? If you are logging in the : server directly you should be using IPC and then you can use the local : server logins. By the way what is your Oracle version (in full, e.g. 9.2, : not just 9i). I am logging in directly into the computer, not via telnet. I did the following create user administrator identified externally default tablespace users temporary tablespace temp quota unlimited on users ; grant create session , create table to administrator; now the winxp user is able to log into his schema ( after physically logging into this stand alone computer ) by using sqlplus /@service_name ONLY AS LONG AS I KEEP remote_os_authent=true other parameters : sqlnet_authentication_services=(none) remote_login_passwordfile=exclusive remote_os_roles=false As soon as I do the following : alter system set remote_os_authent=false scope=spfile; shutdown startup SQL> conn /@service_name ERROR: ORA-01004: default username feature not supported; logon denied Warning: You are no longer connected to ORACLE. but after setting remote_os_authen=true and bouncing the database SQL> conn /@service_name Connected. SQL> show user USER is "ADMINISTRATOR" SQL> That is the question which has me stumped. Any ideas ? Question number 2 : I have sqlnet_authentication_services=(none) Does this mean that Oracle is instructed to accept any external authentication or does it mean that Oracle is being instructed not to trust any external authentication ? I use sqlnet_authentication_services=(none) and am able to log in the winxp administrator ( as I show above) how did that work then ? Question number 3 : Assume that sqlnet_authentication_services=(none) . If there is an externally identified user called scott ( when os_authent_prefix='' ) or ops$scott (when os_authent_prefix='ops$' ) either which way suppose there is some user called X who is to identified externally , does this mean that anyone on the network can create an operating system user called X (after taking into account the value of op$_authent_prefix) log into their own computer using their own password and then log into the oracle schema of X ? or will that depend on the value of remote_os_authent. .. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <[EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RAC vs. OPS a comparison
Well, the greatest novelty in RAC is synchronizing blocks without write to
disk. Here is it how it works:
OPS:
1. Instance A requests instance B to downgrade its (PCM) lock for block C
from X --> N.
2) Instance B writes block C to disk and downgrades lock to N.
3) Instance A reads block C into its own SGA and upgrades lock from N --> X
RAC:
1) Instance A requests instance B to downgrade its (PCM) lock for block C
from X --> N.
2) Instance B sends the current version of block C through the interconnect
to the instance A and downgrades the lock from X --> N.
3) Instance A puts the received block into its own SGA and upgrades the lock
from N --> X.
Also, RAC can deliver a read consistent version of a block, but OPS in 8.1.7
can do that too (BSP process). This was sold as "cache fusion". With the
advent of ultrafast interconnects such as HP hyperfabric (4GB/sec), it became
much faster to develop a mechanism for sending a block down the pipe instead
of writing it to disk and reading it from disk. Also, with the ultrafast CPUs
with the usual usage not surpassing 10%, it became acceptable to use
releasable locks which require a great deal of string copying and hash
searching, both fairly CPU intensive operations. Hashed (static) locks,
covering a fixed range of blocks, were much cheaper in CPU terms but the false
pinging was just killing the OPS, especially after new files have been added..
RAC is much, much faster. Nevertheless, I'd advise functional partitioning of
the application system on both RAC and OPS so that related data is accessed
from the same node, thus minimizing DML overhead. Oh yeah, I forgot, it's no
longer just "DML", it "IDML" now ("I" stands for "Integrated").
On 2003.06.22 23:34, "Kaing, Leng" wrote:
Hi,
I don't remember seeing any doco as such, but you need to look at what's new
in RAC and compare it to OPS. eg. No pinging on read and write, easier admin.
etc. Can't remember off the top of my head.
Rgs,
Leng.
--
From: "VIVEK_SHARMA" <[EMAIL PROTECTED]>
Date: Wed, 18 Jun 2003 11:16:31 +0530
Subject: RAC vs. OPS a comparison ?
RAC vs. OPS any comparison study , doc , link ?
Need it for customer already on OPS , who is considering moving to RAC
Thanks
--
Leng Kaing
Email: [EMAIL PROTECTED]
Phone: +61-3-9203-7589
Mobile: +61-417-371-348
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Kaing, Leng
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Mladen Gogala
Oracle DBA
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Mladen Gogala
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Re: IO Topology Anyone???
Robert, Have any URL's to explain this? Anything to do with Oracle Managed Files? Jared On Thursday 19 June 2003 10:55, Freeman Robert - IL wrote: > Anyone use the IO Topology features with Oracle9iR2 and Veritas? Does > Veritas have a mapping file that you can use with this feature? (I've posed > the same question with Veritas, so it's a race to the answer!) Any > experiences you can share about this feature? > > Robert -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Look's like Larry's at it again...
Most people don't say it properly. ( it's or-uh-gun ) Dan can't even spell it. ;) Jared On Friday 20 June 2003 13:54, Daniel Fink wrote: > I figured he try for something closer to home...say Oragon? > > Then Bill would want to buy Mississippi (postal abreviation MS for our > non-us listers). > > "Jesse, Rich" wrote: > > Oracle Makes Bid to Buy State of Delaware > > > > Software giant willing to assume state's $225 million deficit in exchange > > for > > legislative control, naming rights > > > > Wilmington, DE - Oracle CEO Larry Ellison today announced his intention > > to purchase the state of Delaware for $300 million in cash and Oracle > > stock. The > > move comes on the heels of Oracle's bid for rival software firm > > PeopleSoft, and is the first time that an offer has been made to buy a > > U.S. territory. > > > > Delaware governor Ruth Ann Minner responded to the bid with shock and > > seemed certain that the hostile takeover could be avoided. > > > > "Oracle's bid comes as a big surprise to the government and people of > > Delaware", said Minner at a press conference. "At this point, we are > > checking > > into whether or not a company, such as Oracle, can buy a state, and > > whether or > > not Delaware is actually for sale." > > > > Oracle's announcement sent shockwaves through the political and economic > > landscape. Oracle shares dropped 8% immediately following the > > announcement, only to rebound and break even for the day, with heavy > > volume being traded. Meanwhile, government officials in Washington > > scrambled to look into the legality of such a purchase, and who actually > > currently owns Delaware. > > > > In an afternoon press conference, Ellison seemed certain that Oracle > > would own > > Delaware in the near future. > > > > "The fact is that the state of Delaware is in a budget crisis that it can > > not > > resolve. Oracle's bid will immediately pump $300 million into the state > > budget, and (Oracle) will also be assuming all current Delaware debt. > > Call this a 'hostile takeover' if you must, but the people of this great > > state deserve a better future, and I will be able to give them just > > that." > > > > President Bush, who was giving a speech to coal miners in Kentucky, > > called the > > Oracle bid "interesting" and added that "49 states would be easier for me > > to handle than 50". > > > > Ellison rival Tom Siebel called the move "typical", and added "Larry > > thinks he > > can take over the world, and I guess he thinks this is a good place to > > start. > > I personally would have targeted Vermont." > > > > Ellison defended his decision, citing fourteen state parks, a minor > > league baseball franchise, an annual Nascar race in Dover, and the annual > > Great Delaware Kite Festival as reasons that Delaware is primed for > > success. > > > > "Delaware is a state rich in tradition and excitement. None of the > > existing festivals or events will be changed. I mean, who doesn't love > > minor league baseball and kites?" > > > > If the takeover bid is successful, Ellison plans to place several Oracle > > executives in key state government positions, and is considering > > re-naming the > > state either New Ellison or OracleLand. > > > > [Couldn't resist, Jared! Hope it's not too OT!] > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > -- > > Author: Jesse, Rich > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > > San Diego, California-- Mailing list and web hosting services > > - > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RAC vs. OPS a comparison
Hi, I don't remember seeing any doco as such, but you need to look at what's new in RAC and compare it to OPS. eg. No pinging on read and write, easier admin. etc. Can't remember off the top of my head. Rgs, Leng. -- From: "VIVEK_SHARMA" <[EMAIL PROTECTED]> Date: Wed, 18 Jun 2003 11:16:31 +0530 Subject: RAC vs. OPS a comparison ? RAC vs. OPS any comparison study , doc , link ? Need it for customer already on OPS , who is considering moving to RAC Thanks -- Leng Kaing Email: [EMAIL PROTECTED] Phone: +61-3-9203-7589 Mobile: +61-417-371-348 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Kaing, Leng INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: MS Access as a front-end to Oracle DB
I have had some recent exposure to Access - people asking me to investigate why their query runs for so long. I can understand that if one table in the query is local then Access has to pretty much work locally, but I have been terribly surprised at how it approaches multi-table queries some time. I've seen it work on a single table at a time and then pass a bind variable to the next table to simulate a join. The example I was looking at most recently turned one query into 80,000 queries as a result - just what production needs when it's busy already. My best guess is that Access see's foreign tables as individual foreign tables. Perhaps it doesn't worry about where the foreign tables come from and therefore treats them all as individual entities? Anyway, that's just a guess as to why Access would break a simple join into two queries. "Goulet, Dick" <[EMAIL PROTECTED]To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >cc: Sent by: Subject: RE: MS Access as a front-end to Oracle DB [EMAIL PROTECTED] .com 21/06/2003 08:04 Please respond to ORACLE-L Yes, you are misunderstanding it. A simple statement like your will result in only the data required being sent over the network. But if you add in a second table things change, especially if that table is a local access table. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Friday, June 20, 2003 5:45 PM To: Multiple recipients of list ORACLE-L Hi all: I have been hearing from many people that MS Access is bad as a front-end tool because it tends to do data processing on the clien side instead of the DB side thus moving way too much data over the network. Assuming that this is correct, what is the mechanism of this? If I execute a simple query like: select f1, f2 from t1 where f3='X'; is MS access going to copy the whole table t1 to my machine and only show the rows with f3 equal to 'X'? Am I misinderstanding it? tia Gene __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Gurelei INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Goulet, Dick INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send
RE: oracle authentication from windows
Hi Pete, I don't think that's true about booting a PC with the same domain name that's not really part of the domain. Have you ever tried it? I'd be really interested if it works. I don't understand the part about booting into Linux and changing the username as its sent. Isn't the only username passed / ? Or are you talking about poking things at the packet level to make sqlnet think the user is domain authenticated. Cheers, Beth -Original Message- Sent: Friday, June 20, 2003 6:49 PM To: Multiple recipients of list ORACLE-L Hi Beth OK, I get your point but Arup was talking about automatic connections by setting remote_os_authent to true where you can either set the prefix to OPS$ or use identified externally. For these connections the user should not be prefixed by the domain name in the database. On the other hand using windows NT authentication and prefixing with the domain name can be spoofed by using a client that is not trusted such as windows 95 or 98 and setting the context to any domain you wish and adding the correct user. The other option is to insert a linux bootable CD and alter the username as it is sent. I agree with you that use of the domain method is better, BUT the point i was trying to make is still valid. That is to ensure that any external account observes the least privilege principle. cheers Pete In article <[EMAIL PROTECTED]>, Seefelt, Beth <[EMAIL PROTECTED]> writes > >I disagree. Remote OS authentication is not inherently insecure in >Windows like it is in Unix. If you prefix the account names with the >domain name, a user would not only have to spoof the username, he would >have to spoof the domain name too. At that point, you probably have >bigger problems than access to your database. Also, in that situation, >only the security token is going over the network, not your password in >clear text. The caveat is that you should be using the *domain name* >as the prefix, not OPS$. > >-Original Message- >Sent: Friday, June 20, 2003 6:20 AM >To: Multiple recipients of list ORACLE-L > > >Hi Arup, > >Remote OS authentication whether with OPS$ or not is still a risk. You >are intimating that SYSTEM is the only risky account involved here. >What if any of the newly created OPS$ accounts have useful privileges. >I have seen a similar application to the one described recently. There >were forms within the application for administration and user >management (in oracle, not the application) and the users who had >access to these were assigned the DBA role and were of course external >accounts. > >I think what you should add to your comment is that the issue is >overrated is that any OPS$ / external accounts should not have any >dangerous privileges granted and certainly not DBA. If you can guess >the name of an admin account even if its OPS$ then the issue is still >severe. > >cheers > >Pete > >-- >Pete Finnigan >email:[EMAIL PROTECTED] >Web site: http://www.petefinnigan.com - Oracle security audit >specialists >Book:Oracle security step-by-step Guide - see http://store.sans.org for >details. > >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.net >-- >Author: Pete Finnigan > INET: [EMAIL PROTECTED] > >Fat City Network Services-- 858-538-5051 http://www.fatcity.com >San Diego, California-- Mailing list and web hosting services >- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the >message BODY, include a line containing: UNSUB ORACLE-L (or the name of >mailing list you want to be removed from). You may also send the HELP >command for other information (like subscribing). >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Seefelt, Beth INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services -
RE: oracle authentication from windows
Because external authentication checks the domain name you are logged
into. You can't log into a local user JKILCHOE and connect to the
externally authenticated database user "MYDOMAIN\JKILCHOE".
Beth
-Original Message-
Sent: Friday, June 20, 2003 4:05 PM
To: Multiple recipients of list ORACLE-L
(my question follows)
> -Original Message-
> From: Seefelt, Beth [mailto:[EMAIL PROTECTED]
>
> I disagree. Remote OS authentication is not inherently insecure in
> Windows like it is in Unix. If you prefix the account names with the
> domain name, a user would not only have to spoof the username, he
> would have to spoof the domain name too. At that point, you probably
> have bigger problems than access to your database. Also, in that
> situation,
> only the security token is going over the network, not your
> password in
> clear text. The caveat is that you should be using the
> *domain name* as the prefix, not OPS$.
I don't understand how to accomplish this in practice. I currently sign
on to the Windows Network for domain MYDOMAIN with userid JKILCHOE. By
running the query suggested by Mr. Nanda I see that Oracle thinks my
username is jkilchoe:
SQL> select sys_context ('userenv', 'os_user') from dual
SYS_CONTEXT('USERENV','OS_USER')
-
jkilchoe
If I set
os_authent_prefix = MYDOMAIN
and create an Oracle username MYDOMAINJKILCHOE
how does that stop someone else from creating a local user JKILCHOE on
their machine, signing on to their local machine as JKILCHOE, and then
using SQL*Net to connect to the database as MYDOMAINJKILCHOE ?
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jacques Kilchoer
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from). You may also send the HELP
command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Seefelt, Beth
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: oracle authentication from windows
No, that's not true. It actually uses your NT security token to validate that you are authenticated in the domain. You can't just give a rogue PC the same domain name, boot it up, and log into the database with external authentication. The PC would have to be a domain member, which means you have to have the domain admin password to join the domain, along with the users password so that you could log into the domain as them. The same is not true if you use another prefix such as OPS$. -Original Message- Sent: Friday, June 20, 2003 4:00 PM To: Multiple recipients of list ORACLE-L Beth, You are right in stating that OPS$ accounts are not inherently insecure. How is teh inclusion of domain name any more secure than using OPS$? Granted, the hacker has to guess the domain name in addition to user name, but so is using any other prefix other than OPS$. Besides if the users are not static, the domain names will be different. How will you address that issue? For instance, you domina name is MYCODOMAIN1 and your windows userid is mycodomain1\bseefelt, so the Oracle userid, as you propose should be "mydomain\bseeth". If you login to another domain, say, MYDOMAIN2, this account is no longer valid. So, I would say, mixing domains with username may not be a good idea, unless ofourse you have a single domain. Arup - Original Message - To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 10:10 AM > > I disagree. Remote OS authentication is not inherently insecure in > Windows like it is in Unix. If you prefix the account names with the > domain name, a user would not only have to spoof the username, he > would have to spoof the domain name too. At that point, you probably > have bigger problems than access to your database. Also, in that > situation, only the security token is going over the network, not your > password in clear text. The caveat is that you should be using the > *domain name* as the prefix, not OPS$. > > -Original Message- > Sent: Friday, June 20, 2003 6:20 AM > To: Multiple recipients of list ORACLE-L > > > Hi Arup, > > Remote OS authentication whether with OPS$ or not is still a risk. You > are intimating that SYSTEM is the only risky account involved here. > What if any of the newly created OPS$ accounts have useful privileges. > I have seen a similar application to the one described recently. There > were forms within the application for administration and user > management (in oracle, not the application) and the users who had > access to these were assigned the DBA role and were of course external > accounts. > > I think what you should add to your comment is that the issue is > overrated is that any OPS$ / external accounts should not have any > dangerous privileges granted and certainly not DBA. If you can guess > the name of an admin account even if its OPS$ then the issue is still > severe. > > cheers > > Pete > > -- > Pete Finnigan > email:[EMAIL PROTECTED] > Web site: http://www.petefinnigan.com - Oracle security audit > specialists Book:Oracle security step-by-step Guide - see > http://store.sans.org for details. > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Pete Finnigan > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L (or the > name of mailing list you want to be removed from). You may also send > the HELP command for other information (like subscribing). > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Seefelt, Beth > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L (or the > name of mailing list you want to be removed from). You may also send > the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru')
Re: oracle authentication from windows
Hi Arup, Thanks for the reply, I agree with you that ops$ accounts are definitely weaker than database authenticated accounts. I would always advocate trying to find another way to allow access if possible, i understand that in some cases remote authentication is what an organisation chooses to use because other options are not as useful to them. What i said in my first email still stands "least privilege principle" but if possible don't use external accounts and even less so remote external accounts, try to find another solution. BUT yes sometimes they have to be used and you are right to suggest a sound way to use them. cheers Pete In article <[EMAIL PROTECTED]>, Arup Nanda <[EMAIL PROTECTED]> writes >Hi Pete, > >I think you misunderstood. OPS$ accounts are weaker than the regular >accounts; but I maintain that they are not so insecure that they should be >outright banned. My position is they can be created if needed, but the >privileges should be granted judiciously, something that has to be done even >in regular accounts. OPS$ accounts with DBA privs - a big NO NO. -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: copy a datafile to a raw device
Stephen / Gene, Actually there is no difference between Raw Devices and File Systems when Oracle reads/writes Oracle Blocks. It is the OS interface that is different -- Character-device or Block-device. Most OSs include a header portion in a Raw Device which must be skipped because when Oracle makes read/write calls to the file [ie, the Raw Device] the OS automatically ignores the header. See these Notes on MetaLink 1. Note 23037.1 on Raw Partitions as Oracle Data Files 2. Note 45351.1 for Digital Unix [skip block of 64K] 3. Note 146384.1 for HP-UX [skip block of 8K] 4. Note 153892.1 on how to use RMAN to copy the data Hemant At 01:19 PM 19-06-03 -0800, you wrote: I might expand on this some. If you think about it, any time you store bytes on something, the storing process has to make a note of where it put the bytes; maybe how many bytes it put there; if the bytes are not contiguous, then info about where one set leaves off and where the next set picks up. And on and on ... I've never worked with Oracle raw devices and am just guessing here, but applying some knowledge about how other forms of storage work, I seems logical that Oracle would have to "format" the raw device and essentially create a sort of proprietary "file system" there. If you just toss some bytes on a raw device and tell Oracle to go get 'em, then I'm guessing Oracle will just say something like: "This might be a raw device, but it ain't no stinkin' ORACLE raw device." Or, to put it another way: "What's this merde?" (Pardon my French.) (You have to wonder if there is an error message *something* like this buried down in the Oracle kernel by some irreverent programmer.) > -Original Message- > From: Stephen Lee > Sent: Thursday, June 19, 2003 3:27 PM > To: Multiple recipients of list ORACLE-L > Subject: RE: copy a datafile to a raw device > > > > Well heck. Nobody else has replied, so I might take a stab > at it here. I > suspect that the format of the data (bits and bytes) required on a raw > device is different than the format of the data in a file in > a file system. > I'm stretching a bit here, but I think an analogy would be > what would happen > if you dd a file from UFS to NTFS. The data on the NTFS > might be a digital > copy of what was on UFS, but it's format is totally useless > in the context > of NTFS. > > > -Original Message- > > From: Gurelei [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 19, 2003 1:55 PM > > To: Multiple recipients of list ORACLE-L > > Subject: copy a datafile to a raw device > > > > > > hi all: > > > > I need to move a SYSTEM datafile from a filesystem > > to a raw device. I have shutdown the database, > > copied the file via > > > > dd if=system of=/dev/raw > > > > renamed the file in the database, but couldn't open > > the database because of the error: Unknown File Header > > Version read for file number 1. > > > > I tried another dd: > > > > dd if=system of=/dev/raw obs=32768 (32K is the db > > block size), but I got the same error. Can anyone > > see what else could be wrong with my dd command > > > > thanks > > > > Gene > > > > __ > > Do you Yahoo!? > > SBC Yahoo! DSL - Now only $29.95 per month! > > http://sbc.yahoo.com > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > -- > > Author: Gurelei > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > > San Diego, California-- Mailing list and web > hosting services > > > - > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Stephen Lee > INET: [EMAIL PROTECTED] > > Fat City Network Services-- 858-538-5051 http://www.fatcity.com > San Diego, California-- Mailing list and web hosting services > - > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Stephen Lee INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing
