Sunday, March 17, 2013

Database Link Secuirty Issue


"Use the CREATE DATABASE LINK statement to create a database link. A database link is a schema object in one database that enables you to access objects on another database. The other database need not be an Oracle Database system. However, to access non-Oracle systems you must use Oracle Heterogeneous Services."

But did you ask your self before about the impact of using Oracle Database link ? and how to secure my database link ?


One Of Common Issue that you need to be aware of is Privileges , When you create database link most of users use DBA Role which mean user will able to do anything he want in database,which mean
who gains access to a database link can execute queries with the privileges of the DBLINK account  to avoid this try to create user with less Privileges he needs.

Another issue in 10g When you create database link check the below :

CREATE DATABASE LINK "TEST_LINK" CONNECT TO "Test" IDENTIFIED BY Test ;

Database link created. 
After that check the below table :

SQL> select name, userid, passwordx from sys.link$ where name='TEST_LINK.REGRESS.RDBMS.DEV.US.ORACLE.COM';

NAME     USERID  PASSWORDX
--------------------------------------------------------------------------------
TEST_LINK.REGRESS.RDBMS.DEV.US.ORACLE.COM OSAMA   05CB53401E442441B428B900A97DE31A10

as you see the password is saved as hash, and can be decrypt .


But what if :

SQL> SELECT DBMS_METADATA.GET_DDL('DB_LINK','TEST_LINK.REGRESS.RDBMS.DEV.US.ORACLE.COM') from dual ;
Check the output below :

CREATE DATABASE LINK "TEST_LINK"
CONNECT TO "Osama" IDENTIFIED BY VALUES '05CB53401E442441B428B900A97DE31A10'

another security Issue of using Database link.

Imagine what could be happened next.

Thank you
Osama Mustafa

3 comments:

  1. I got it. Thanks

    ReplyDelete
  2. Hi Osama ;

    I still getting confused to practice what you posted here ..

    SQL> grant create database link to xx;
    Grant succeeded.

    SQL> show user;
    USER is "XX"

    create database link osama connect to xx identified by xx using 'orcl';
    Database link created.

    >> Connecting as sysdba >>

    SQL> select USERID, name, passwordx from sys.link$ where
    2 name='OSAMA.REGRESS.RDBMS.DEV.US.ORACLE.COM';

    USERID NAME PASSWORDX
    XX OSAMA.REGRESS.RDBMS.DEV.US.ORACLE.COM 05BD4A6D6C3019E29EEB898D2343BCB0C2

    SQL> SELECT DBMS_METADATA.GET_DDL('DB_LINK','OSAMA.REGRESS.RDBMS.DEV.US.ORACLE.COM') from dual;

    ERROR:
    ORA-31603: object "OSAMA.REGRESS.RDBMS.DEV.US.ORACLE.COM" of type DB_LINK not found in schema "SYS"
    ORA-06512: at "SYS.DBMS_SYS_ERROR", line 105
    ORA-06512: at "SYS.DBMS_METADATA", line 2806
    ORA-06512: at "SYS.DBMS_METADATA", line 4333
    ORA-06512: at line 1

    FYI : Even i connected as sysdba , i can't trace it ... So please see it and kindly reply me ..


    ReplyDelete
    Replies
    1. Are you sure from the database link name ? check dba_links to find the correct name

      Delete