| Napster |
Posted: Apr 28, 2008 06:48:00 AM |
Total Post: 29
Joined: Apr, 2008
|
Hi,
Has anyone employed the parameter SQL92_SECURITY?
If yes does it help in anyway?
Does it do what it's meant for?
Regards, |
|
|
 Murtuja |
| Posted: Apr 28, 2008 07:08:01 AM |  |
|
Total Post: 857
Joined: Jan, 2006
|
Hi,
www.syngress.com/book_catalog/1597491985_sample.pdf
HTH
|
|
|
|
|
| Avnish |
| Posted: Apr 28, 2008 07:35:46 AM | |
|
Total Post: 154
Joined: Dec, 2007
|
Hi,
SQL92_SECURITY is an important Oracle configuration setting that most folks
know very little about. From the name of the configuration setting, it is clear
that there is some impact on security, but exactly what that impact is and why
it is important is a mystery to most. The change in the way the database operates
when SQL92_SECURITY is set to TRUE is fairly simple, but the reasons why
it is important are more subtle.
When SQL92_SECURITY is enabled (set to TRUE), Oracle requires users to
have SELECT privileges on a table or view in order to run UPDATE or DELETE
statements that include a WHERE clause on that table or view. Put another
way, the SQL92_SECURITY parameter requires that users have both
UPDATE/DELETE and SELECT privileges on a table or view in order to run
queries that include a WHERE clause.
Things may become clearer with an example. Consider a table named
hrapp.employees containing two columns, employee_name and salary.
AARON is a database user that has been granted privileges to SELECT and
UPDATE the employees table. JOSH is a database user that has only been
granted privileges to UPDATE the employees table.
Both AARON and JOSH run the following query:
UPDATE hrapp.employees SET employee_name = 'test' WHERE salary > 100000;
With SQL92_SECURITY disabled, this query will run properly for both
AARON and JOSH. No errors will be returned. However, with SQL92_SECURITY
set to TRUE, this query will run properly for AARON but will fail with an error
for JOSH.
The impetus behind the implementation of this security configuration is
to stop data leakage. In the example above, AARON has rights to see all the
data in the employee table. If he wants to see the salary data, he can simply
SELECT them. JOSH on the other hand does not have rights to see the data in
the employees table. If he wants to see the salaries, he must find a way to
escalate his privileges and get around the fact that he is not granted SELECT
on that table. Without SQL92_SECURITY, there is a loophole that would allow
JOSH to “see” the salary data in the employees table. JOSH could use the following
query to determine the salary of any employee stored in the system
|
|
|
|
|
| Avnish |
| Posted: Apr 28, 2008 07:36:37 AM | |
|
Total Post: 154
Joined: Dec, 2007
|
Continue...
BEGIN
set transaction read only;
DELETE FROM hrapp.employees WHERE employee_name='JSMITH' AND SALARY >
100000;
rollback;
END;
Running this query repeatedly while changing the values for
employee_name and salary will give JOSH all the information he wants,
without making any changes to the database (each transaction is immediately
rolled back).
By simply setting SQL92_SECURITY = TRUE in init.ora, this type of attack
will be blocked. SQL92_SECURITY should be enabled on every one of your
Oracle databases.
Thanks
Avnish
|
|
|
|
|
| Avnish |
| Posted: Apr 28, 2008 07:38:34 AM | |
|
Total Post: 154
Joined: Dec, 2007
|
hi,
i think me & murtuja posted same answers...
|
|
|
|
|
| Murtuja |
| Posted: Apr 28, 2008 07:50:37 AM | |
|
Total Post: 857
Joined: Jan, 2006
|
Hi Avnish,
I don't like copy/paste content from any sites. It can create copyright issues and effect this forum.
Instead of copy/paste just point to that site.
|
|
|
|
|
| Napster |
| Posted: Apr 28, 2008 07:59:48 AM | |
|
Total Post: 29
Joined: Apr, 2008
|
Avnish/Murtuza,
Thanks for replying but i've gone through the doc much before i put my query on the forum.
I know what this parameter does.
My question is """"Has anyone set this to TRUE and seen if there are actually any changes in your database....does it really make a difference...coz i've read elsewhere that some people have set this parameter but still users without the SELECT priv can UPDATE/DELETE...so please understand my question properly before replying"""""""
Thanks & Regards
|
|
|
|
|
| Murtuja |
| Posted: Apr 28, 2008 08:04:08 AM | |
|
Total Post: 857
Joined: Jan, 2006
|
where you have read like that ? Can you please post that link ?
|
|
|
|
|
| Murtuja |
| Posted: Apr 28, 2008 08:08:56 AM | |
|
Total Post: 857
Joined: Jan, 2006
|
Please refer Metalink Note 456938.1.There is one known problem with oracle 9i.
|
|
|
|
|
| Napster |
| Posted: Apr 28, 2008 08:14:40 AM | |
|
Total Post: 29
Joined: Apr, 2008
|
hi,
i'm not able to come with that forum link at the moment ....but i'm very such i've read it...neways i'll have a look at metalink and get back ..
i just wish to know if someone has practically implemented,tested or verified this parameter
Regards
|
|
|
|
|
| Avnish |
| Posted: Apr 28, 2008 08:50:03 AM | |
|
Total Post: 154
Joined: Dec, 2007
|
hi Murtuja,
Sorry for this post.near future i'll take care of that... thanks for suggestion.
|
|
|
|
|
| Time Zone: EDT |
Send this thread to your friend |
