Database Reference
In-Depth Information
I believe that the Oracle Corporation could make a sweeping change to the database that would
improve security. The sweeping change would be to make
PUBLIC
a regular role. Perhaps the
PUBLIC
role
would be granted by default and additionally not lost when a user does a
SET ROLE
. However,
PUBLIC
would not be whatever it is now. Currently, when access is granted to
PUBLIC
, it is like saying that no
grants are required. We cannot revoke
PUBLIC
from users. Every Oracle user always has
PUBLIC
access.
I can see how the use of
PUBLIC
is like making certain things a part of an Oracle user's identity.
Maybe what I'm really shooting for is an almost
-
PUBLIC
role that Oracle database could grant as a default
and that would not get removed when a user does SET ROLE. At database install, some or most of the
things that are normally granted to
PUBLIC
(anything that is not strictly required for logon and select)
could be granted to almost-
PUBLIC
. Then for restricted users, we could revoke the almost-
PUBLIC
role.
Have I gone off the deep end? Well let's take a look. First, select from a public view to see all the
users in the database:
SELECT * FROM ALL_USERS;
By listing all the database users, an attacker has multiple opportunities to try password guessing, or
perhaps finds multiple individuals to contact in an attempt to do a social engineering attack. I'd like to
turn off access to that
PUBLIC
view.
What if we'd like to know the names of all the Oracle procedures that are used by the application
security,
appsec
user? We could query the
ALL_PROCEDURES PUBLIC
view:
SELECT * FROM ALL_PROCEDURES WHERE OWNER = 'APPSEC';
Now let's view the code for one of those procedures,
p_check_role_access
by querying the
ALL_SOURCE PUBLIC
view:
SELECT * FROM ALL_SOURCE WHERE OWNER = 'APPSEC' AND NAME = 'P_CHECK_ROLE_ACCESS';
Granted, the user can only see the source of procedures that have been granted to
PUBLIC
, but is that
source really something the user needs to see? We shall see that it is not.
Create a New Oracle Database Instance
We need about 2 GB of space on the hard drive to create a sufficiently large database to hold just what
we need to do application verification. “Why that much?” you might ask. Remember that to do
application verification we need a basic Oracle database, and we need the data dictionary views, and we
need to run PL/SQL, and we need to run Java. On top of that, for two-factor authentication, we need to
send e-mail, and we need configure system privileges to read data across the network (URLs). All of these
functions require space.
We will call our new database instance
apver
(notice it is like the
appver
user name, except with only
one “P”). We need an initialization/parameter configuration file in order to build our new database
instance. If you are creating the
apver
instance on a server that already has an installed instance, e.g.,
ORCL, then you can copy some files that will be helpful. One of those files is called
init.ora
. Change
directory to where these files reside, outside your server Oracle home directory:
D:
cd \app\oracle\admin
Copy the entire
orcl
directory to a new directory named
apver
. This command will copy the
directory and all the contents.
xcopy orcl apver /ei
