home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.databases.oracle
- Path: sparky!uunet!pmafire!cdm
- From: cdm@pmafire.inel.gov (Dale Cook)
- Message-ID: <1992Dec17.003907.26151@pmafire.inel.gov>
- Date: Thu, 17 Dec 92 00:39:07 GMT
- Organization: WINCO
- Subject: Re: OPS$LOGIN :security hole?
- Summary:
- References: <1992Dec15.144220.25349@relay.nswc.navy.mil> <8aT=R#A@engin.umich.edu> <1go861INN4hv@rave.larc.nasa.gov>
- Followup-To:
- Organization: WINCO
- Keywords:
- Lines: 24
-
- In article <1go861INN4hv@rave.larc.nasa.gov> p228@uni05.larc.nasa.gov (Bailey Bob) writes:
- >In article <8aT=R#A@engin.umich.edu> lwk@engin.umich.edu (Lewis W Kellum) writes:
- >>
- >>Here's another question: If I know Mr.Schow's unix login id, and the internet
- >>hostname of his Oracle server, what keeps me from creating his login id
- >>on my host and connecting to his ops$ oracle account? - Woody Kellum
- >
- >The only way the ops$ account works without a password is when you are
- >directly logged into the host server at the OS level. If you connect to
- >the host via SQL*Net, the RDBMS will require entry of the password.
-
- I beg to differ. I regularly use my ops$ account over our local net,
- and a password is NOT required.
-
- In answer to the above question, the only way I know of is to not have
- your server connected to the internet. If you're worried about security,
- you don't want the world having a path to your door. Use a firewall system
- as a front to the internet. You may also need to have his user number,
- but I don't know for sure.
- --------------------------------------------------------------------------
- ...Dale Cook "I don't much care how a man prays -- there's plenty of
- room in hell for all of us." --- "Mad Jack" Duncan
- The opinions are mine only (i.e., they are NOT my employer's)
- --------------------------------------------------------------------------
-
