-----Original Message-----
Ari,
Question about Oracle if it's ok.
Is it a security risk to use ops$accounts? I personally like them
because the users password is never on the command line visible through
a ps -ef command. And we as application developers do not have to get
the users to provide their passwords to run the Oracle applications.
I've never heard anything bad about them, but someone new around here
seems to think different.
Thanks,
Jim
----- Reply -------------
Jim,
There is a security risk with OPS$ACCOUNTS. It bypasses the underlying OS
security and allows you to connect to the database once you are logged in to the
server. However, you can "fake" a username and get in to the database without a
password. For example, if there is a "JIM" account, then someone changes the
name of their PC to "OP$JIM" then they can enter SQL*Plus with no password from
a client. The only security against this is that someone must know enough Oracle
to know how to do this, and they must know the name of an OPS$ account. Of
course people can make "crack" programs that guess usernames, but I have not
seen this.
-Ari
Back to Ari Kaplan's Home Page