Privileges on a view
Granting too many privileges on a view could be disastrous. A view is often used as a security element; you grant access to only a subset of columns and rows to one user. Mostly only SELECT. If you want to grant update to only some rows, the security could be enhanced with the WITH CHECK […]
powershell code signing
Unix users don’t use this. Maybe some java developers do. But no Unix sysadmins. Never. On Windows, things are getting more secure every release, especially if you pay attention to those details. In Unix, if I have a script called “getdate” which shows me the date, I can copy it to another machine. $ cat […]
disallow pseudo terminal in ssh
Some Oracle documentation wants you to setup ssh with no password and no passphrase. Configuring ssh This is not really something your security admin will like. First, using DSA, which is deprecated and disabled by default in OpenSSH 7.0, is a pretty dump instruction OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key […]
Administrative privileges like SYSDBA
The most well-known administrative privilege is sysdba. Back in Oracle 7.2, oracle recommended to no longer use the INTERNAL but to connect as sysdba. A second one, seldom used, is SYSOPER. When you use sqlplus / as sysdba, or connect / as sysdba in sqlplus / srvmgrl, the you log as SYS. That’s the most […]
default listener port
Long time ago, Maxime Yuen registered 1521 for nCube License Manager. By googling I found : Ellison cleans house at nCube, and since them 1521 has been used as a default port for Oracle. Still, you’ll see nCube in IANA.ORG service names port numbers and in /etc/services the nCube name. I don’t know which one […]
lock sys
In the old days, locking sys had not much effect. SQL> alter user sys identified by *** account lock; User altered. SQL> select account_status from dba_users where username='SYS'; ACCOUNT_STATUS ——————————– LOCKED SQL> conn / as sysdba Connected. SQL> conn sys/** as sysdba Connected. SQL> conn sys/***@db01 as sysdba Connected. Well, in the very-old days, Oracle7, […]
Legacy users get ORA-01017 in 12.2
10g value string disappeared
Monitor audit_file_dest !
Until 11.2, audit_file_dest used to remain small with default settings and reasonably sized and active database. Suddenly, in 12c, you will sooned or later get ORA-09925: Unable to create audit trail file. At that point, no more connection is possible to the database, it is a complete loss of service. Why suddenly in 12c ? […]
generate safe passwords
This is probably ambitious and I’ll start with a disclaimer, there is no such thing. But ok, we know that system/manager isn’t Apart from system/manager, there are hundreds of weak passwords that are commonly used and easy to guess. On your database server, after a few tries, the account is lock. And maybe the attacker […]
Generate 11g password hash
An easy way to generate a value string from the ssl is to use openssl Let’s take a random salt of ABCDEFGHIJ. The length of 10 is important. The hexadecimal representation is -41-42-43-44-45-46-47-48-49-4A- $ echo "SafePassw0rDABCDEFGHIJ\c" | openssl dgst -sha1 (stdin)= 47cc4102144d6e479ef3d776ccd9e0d0158842bb With this hash, I can construct my value SQL> create user testuser identified […]
permission issue due to one role
Most permissions issues are due to a missing role or privilege. But in the following test case you need to revoke the right to get more privileges. create table tt(x number); create view v as select * from tt; create role rw; grant all on v to rw; I’ve created a read-write role on a […]
list database monitoring users
I am quite familiar with the SYSMAN tables but this one required me some googling beyond the Oracle documentation. The list of targets in your Oracle Enterprise Manager is in SYSMAN.MGMT_TARGETS. Each database target is monitored by a database user, typically DBSNMP. To retrieve this information, you need some to hijack your database, read this […]
Untrusted X11 forwarding
I wrote a while ago about my security concerns regarding xhost + xterm -display mypc:0 Way back then, I suggested ssh tunnel. SSH is pretty easy to set up, by enabling the X11Forwarding option. In OpenSSH 3.8 release note, 2004, there was a new default . ssh(1) now uses untrusted cookies for X11-Forwarding In the […]
run sudo, ssh, password, su in simulated interactive mode
Some commands do not like non-interactive mode $ passwd <<EOF > oldpassword > newpassword > newpassword > EOF Changing password for user lsc. Current password for lsc@example.com: passwd: Authentication token manipulation error $ echo oraclepassword | su – oracle standard in must be a tty $ echo sudopassword | sudo su – oracle [sudo] password […]
switch user in Oracle
Almost a decade ago I wrote about su in sqlplus. This 10gR2 “new” feature allows delegation à la sudo. By checking the DBA_USERS in 12c I found PROXY_ONLY_CONNECT. According to Miguel Anjo, there is a secret syntax for allowing only the proxy user. SQL> ALTER USER app_user PROXY ONLY CONNECT; SQL> CONNECT app_user/xyz ERROR:ORA-28058: login […]
SSL with PKCS12 truststore
Many many moons ago I vaguely remember having a similar issue with java keystore / truststore and microsoft certificates stores. When you start using SSL for your listener, you could potentially face a large number of issues amoung your toolsets. In my opinion, the most disastrous one is that you cannot monitor your database with […]
anonymous cypher suites for SSL (and a 12c pitfall)
If you configure your listener for encryption only, you do not really need authentication. It works pretty fine until 11.2.0.2, I wrote multiple posts on ssl. You add SSL_CLIENT_AUTHENTICATION=FALSE to your server sqlnet.ora and listener.ora and specify an “anon” cipher suite in your client. You do not need to validate the certificate, so a default […]
poor man ActiveDirectory password checker
To have the same users in multiple databases and no single sign on is quite a nightmare for password expiration, synchronisation and validation. You probably were discouraged by the long long route to kerberos, where the 11.2.0.2 bugs are fixed in 11.2.0.4, the 12.1 bugs are fixed in 12.2. And lot’s of system changes that […]
PLS-00201 in stored procedures
When you grant table access thru a role, you cannot use that role in a stored procedure or view. create role r; create user u1 identified by ***; grant create procedure, create session to u1; create user u2 identified by ***; grant create procedure, create session, r to u2; conn u1/*** create procedure u1.p1 is […]
ssl version
I wrote about ssl version in jdbc thin yesterday The default version also no longer works for the thick client with 12c client and 11g Server. With 11gR2 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: Version 11.2.0.4.0 OK (100 msec) with 12cR1 : C:> tnsping (DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV01)(PORT=1521))) TNS Ping Utility for 64-bit Windows: […]
TCPS and SSLv2Hello
Thanks to platform independence, the same java code work on different platforms. import java.util.Properties; import java.security.Security; import java.sql.*; import javax.net.ssl.*; public class KeyStore { public static void main(String argv[]) throws SQLException { String url="jdbc:oracle:thin:@(DESCRIPTION="+ "(ADDRESS=(PROTOCOL=TCPS)(Host=SRV01)("+ "Port=1521))(CONNECT_DATA=(SID=DB01)))"; Properties props = new Properties(); props.setProperty("user", "scott"); props.setProperty("password", "tiger"); props.setProperty("javax.net.ssl.trustStore", "keystore.jks"); props.setProperty( "javax.net.ssl.trustStoreType","JKS"); props.setProperty( "javax.net.ssl.trustStorePassword","***"); DriverManager.registerDriver( new oracle.jdbc.OracleDriver()); Connection […]
check if using tcps part II
in your current session, as written there, check sys_context('USERENV', 'NETWORK_PROTOCOL') in another session, you could grab some hints out of the network service banner. Do the maths, when it is not-not using ssl, it probably is… select sid,program, case when program not like 'ora___@% (P%)' then (select max(case when NETWORK_SERVICE_BANNER like '%TCP/IP%' then 'TCP' when […]
The long long route to Kerberos
If you want to single-sign-on to your database with your Windows credentials, be aware, it is hard! But the benefit is quite valuable, no more saved password on the client, central password management and user expiration, compliance to the security guidelines, and at no extra cost Landscape for my setup One PC with Windows (PC01.EXAMPLE.COM) […]
Do you really need ASO?
If you only use the Advanced Security Option for SSL, you may not need to pay for it ! License 11.2 When used with Oracle Real Application Clusters, Oracle Advanced Security SSL/TLS is included. But also License 11.1 Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no […]
hot to bypass requiretty in sudo
You can execute it a command without password from the commande line $ sudo -l User lsc may run the following commands on this host: (root) NOPASSWD: /usr/local/bin/helloworld $ sudo /usr/local/bin/helloworld Hello World! Now you try to run it via cron and you get sudo: sorry, you must have a tty to run sudo The […]
encrypt with openssl
I want to avoid cleartext password on my filesystem I encrypt my password with a secret key echo tiger | openssl enc -aes-256-cbc -k MyKey -out $HOME/myconfig Whenever I call a script, I pass the secret key sqlplus scott/$(openssl enc -d -aes-256-cbc -k MyKey -in $HOME/myconfig) Of course you still need the key {MyKey}, but […]
Enhancement Request : SSL listener and OEM
#em12c still does not support SSL ! Encrypting network connection (https, ssh, sftp) is common sense in today’s business. In Enhancement Request 6512390, Created 19-Oct-2007, the customer requested support for SSL. Most recent update : it is postponed to 13cR2 at least ! *** 09/14/12 04:04 am DISCUSSION ***As we kick off 13c release, cleaning […]
old-hash, SHA-1, SHA-2/512
Until pretty recently, only the dubious unsalted proprietary algorithm was available to store Oracle passwords. A bunch of tool where at the time able to decode any 6-8 characters in no time, and the rainbow approach was to precalculate all possibles passwords for a specific user. Those time are not really for away, only starting […]
grant select on sys tables
I prefer to use a powerful named user with dba rather than sys. It is more conform to the security policies in place regarding accounting of administrator operations. Very occasionaly, my user get ORA-1031 insufficient privileges even if I have the dba role. Amoung others, I have “PURGE DBA_RECYCLEBIN” and DBMS_STREAMS_AUTH.GRANT_ADMIN_PRIVILEGE update, 2012-07-24 For purge […]
xhost+ security hole part 2
Five years ago I wrote xhost+ is a huge security hole, I turned out red this morning when my neighbour sent me a smiley via X. Do I really want everyone to have full access to my screen? No, I don’t. And I don’t do xhost+. So why did it happen to me ??? I […]
This system is for the use of authorized users only.
How to bypass the login banners? There is actually more than one banner to bypass. One of the them is the message of the day banner, commonly located in /etc/motd. Typically friendly, example in AIX **************************************************************************** * * * * * Welcome to AIX Version 6.1! * * * * * * Please see the README file in /usr/lpp/bos for information […]