Senin, 19 Juli 2010

Oracle Authentication and Authorization

Oracle supports two kinds of accounts: database accounts and operating system accounts. Operating system accounts are authenticated externally by the operating system and are generally preceded with OP$, whereas database accounts are authenticated against the database server. A number of users are created by default when the database is installed; some of these are integral to the correct operation of the database whereas others are simply created because a package has been installed. The most important database login on an Oracle server is the SYS login. SYS is god as far as the database is concerned and can be likened to the root account on UNIX systems or Administrator on Windows. SYS is installed with a default password of CHANGE_ON_INSTALL, although, as of 10g, the user is prompted for a password to assign—which is good (various components that you install can define default usernames and passwords—Appendix C includes a list of more than 600 default account names and passwords). Another key account is SYSTEM. This is just as powerful as SYS and has a default password of MANAGER. Incidentally, passwords in Oracle are converted to uppercase making them easier to brute force if one can get a hold of the password hashes. Details such as usernames and passwords are stored in the SYS.USER$ table.

SQL> select name,password from sys.user$ where type#=1;
NAME PASSWORD
------------------------------ ------------------------------
SYS 2696A092833AFD9F
SYSTEM ED58B07310B19002
OUTLN 4A3BA55E08595C81
DIP CE4A36B8E06CA59C
DMSYS BFBA5A553FD9E28A
DBSNMP E066D214D5421CCC
WMSYS 7C9BA362F8314299
EXFSYS 66F4EF5650C20355
ORDSYS 7EFA02EC7EA6B86F
ORDPLUGINS 88A2B2C183431F00
SI_INFORMTN_SCHEMA 84B8CBCA4D477FA3
MDSYS 72979A94BAD2AF80
CTXSYS 71E687F036AD56E5
OLAPSYS 3FB8EF9DB538647C
WK_TEST 29802572EB547DBF
XDB 88D8364765FCE6AF
ANONYMOUS anonymous
SYSMAN 447B729161192C24
MDDATA DF02A496267DEE66
WKSYS 69ED49EE1851900D
WKPROXY B97545C4DD2ABE54
MGMT_VIEW B7A76767C5DB2BFD
SCOTT F894844C34402B67
23 rows selected.

Both SYS and SYSTEM are DBA privileged accounts but on a typical system you'll also find at least a few more DBAs—namely MDSYS, CTXSYS, WKSYS, and SYSMAN. You can list all DBAs with the following query:

SQL> select distinct a.name from sys.user$ a, sys.sysauth$ b where a.user#=b.grantee# and b.privilege#=4;
NAME
-----------------------------
CTXSYS
SYS
SYSMAN
SYSTEM
WKSYS

(If you know a bit about Oracle and are wondering why I'm not using the DBA_USERS and DBA_ROLE_PRIVS views, see the last chapter in the Oracle section—you can't trust views.)

This is enough on users and roles at the moment. Let's look at how database users are authenticated.

chapter 2 (4)

The Database Hacker's Handbook: Defending Database Servers
by David Litchfield et al.
John Wiley & Sons © 2005

Tidak ada komentar:

Posting Komentar