Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
 

Oracle Tips by Burleson

_trace_files_public Tips

Tip:  Make sure the utl_file_dir parameter in the database is not pointing to "*", i.e. to read and write anywhere Oracle has access to. Change permissions as described in the above table.

Other Settings Related to Filesystems

One of the most potentially damaging commands is the ability to create directories with the CREATE DIRECTORY command. A user can create a directory on any filesystem where Oracle has permission to create files. A malicious user can create a directory on some sensitive filesystem and then read or corrupt data on that using BFILE type files. This vulnerability does not seem to be quite understood, otherwise, it would be shut down immediately, and doing so is very easy. All you have to do is to remove the system privilege CREATE DIRECTORY from users.

No regular user should have the CREATE DIRECTORY system privilege.

The other problem is setting the parameter _trace_files_public in init.ora file to TRUE. The parameter is necessary, as some developers may want to create valid trace files such as sql_trace , or set events and analyze them in tools such as TKPROF. Ordinarily, these trace files are not readable by the public, therefore, the developers can't get them directly from here. Setting the init.ora parameter to TRUE will make them readable by all.

Do not set the parameter _trace_files_public to TRUE in init.ora.

Sometimes hackers employ another tactic to get information. The trace file directories are mounted on another machine, or are shared by another host. This allows the hacker to gain access by simply checking the directory without even logging in to the server.



 


Download your Oracle scripts now:

www.oracle-script.com

The definitive Oracle Script collection for every Oracle professional DBA

 

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks