Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!zaphod.mps.ohio-state.edu!caen!june.engin.umich.edu!lwk
From: lwk@june.engin.umich.edu (Lewis W Kellum)
Newsgroups: comp.databases
Subject: Re: Using auto-login feature of Oracle
Message-ID: <1990Dec11.173403.29421@engin.umich.edu>
Date: 11 Dec 90 17:34:03 GMT
References: <911@attc.UUCP> <143900010@occrsh.ATT.COM> <2524@krafla.rhi.hi.is>
Sender: news@engin.umich.edu (CAEN Netnews)
Reply-To: lwk@caen.engin.umich.edu
Organization: Univ. of Michigan College of Engineering
Lines: 29

In article <2524@krafla.rhi.hi.is>, heimir@rhi.hi.is (Heimir Thor Sverrisson) writes:
|> This is one more addition to the "Oracle security joke under Unix". The
|> first part I came across was that user could run a utility from
|> the command line with his/hers username/password as an argument!
|> Not only can a person looking over his shoulder see it as it is typed,
|> but everyone taking a long list of the processes ('ps axu'/'ps -ef') can
|> get easy access to Oracle.
|> With this workaround, somebody with read-access to the program sources
|> can get some passwords with 'grep -i connect *.c'!!!
|> The worst part of this big security joke is that you cannot even turn this
|> useless system off, and it's getting in the way of users all the time!
|> >-- 
I agree. In one of the earlier versions, Any machine in the Internet could
do a 'connect internal' to our Oracle server. No password, no nuthin. All
they had to be was a dba at their local site. I suspect the lack of 
auto login through the net is to prevent a similar problem. If there were
two users with the same login-id on two different machines (or the same uid - 
I'm not sure which Oracle uses), how is oracle to decide which to 
authenticate?
|> >Steven R. McMaster            UNIX(R) mail:  ...!uunet!att!occrsh!srm
|> >AT&T Network Systems
|> >Oklahoma City Works           Any opinions expressed in the message above are
|> >srm@occrsh.att.com            mine, and not necessarily AT&T's.
|> --
|> Heimir Thor Sverrisson		heimir@rhi.hi.is

-- 
Woody Kellum   Internet:  lwk@caen.engin.umich.edu