PeteFinnigan.com Oracle FAQ's, Tips and ramblings

This short FAQ shows how to stop iSQL*Plus, the web based version of SQL*Plus from running on your system. You may wish to disable this tool in production environments for security reasons. There have been a number of security issues that have become known with this tool. Read here how to disable it.

This short FAQ shows how to grant all privileges to a user in Oracle. It specifically shows what privilege is necessary to do this. You should also be aware that granting ALL PRIVILEGES should never be necessary. Use the Least privilege principle and grant what is necessary not everything!.

This short FAQ shows how to shutdown the new ftp and http ports that are enabled by default in a 9iR2 installation. These are part of the new OSE stack and could represent a security threat if you are not aware that they are there.

This short FAQ shows how to set encrypted or unencrypted passwords for your database listener. I would not recommend that you use unencrypted passwords though. For completeness I also show you how to remove the listener password if need be.

This short test shows an example of fine grained access control (VPD, RLS) being used on views. This simple test was to prove to a colleague that it is indeed possible to add policy functions to views as well as tables.

This short paper explores many ways to set trace in an Oracle database, either to set trace for the current session or to set trace in another session or how to set trace at the instance level. It also talks about setting extended trace and levels and also about autotrace in SQL*Plus

This short test was prompted by a thread on the ORACLE-L list discussing how to hack the SYS password on a database. This test is a write up of my post to that thread to show that when executing an ALTER USER command the password is passed in clear text to the server and also when the password function is used the password is not passed in clear text.

This short test was prompted from the above test as I was also checking to see if the use of SET ROLE for a password protected role also caused passwords to be sent in clear text via SQL*Net. This turned out to be true but I also discovered that password protected roles can be bypassed. Read on to see how.

This very short example shows how to use the built in package DBMS_UTILITY.DB_VERSION to get version and compatibility instead of having to get them piecemeal from v$parameter and v$version.

This very short example shows how CREATE USER and GRANT {BLAH} TO {USER} IDENTIFIED BY {BLAH} send the password to the database server in clear text and suggests a couple of possible solutions.

This short paper is an answer to a question one visitor of my website asked me. He wanted to know if the SYS account could be locked out and a Denial of Service caused if the account was brute forced and a failed_login_attempts setting had been configured in the profile attached to SYS.

This short paper is posting i made to one of the newsgroups when someone asked if it was possible to stop a user from reading in clear text from the SGA a call made to dbms_obfuscation_toolkit.desencrypt. The answer is yes it is possible. Read the paper to see.

This is a short answer i made recently to the lazydba mailing list when someone asked about locking the SGA shared memory segments in core with the LOCK_SGA parameter. It is not possible to use this parameter on Solaris unless Oracle is configured to run as root.