ORACLE Security

Agenda

Roles, Users , Privileges Oracle Database organization Security

Roles, Users , Privileges

Special: Sys, System, they are created at database creation Oracle

Super users for database

Connection type sqplus connect as sysdba user/password Sqlplus / as sysdba

Roles, Users , Privileges

SYSDBA privileges Startup Database shutdown Cold and hot /backup Recovery Database creation

Roles, Users , Privileges

Special view v$pwfile_users with special users We must be with a user like Sysdba in order to execute selects over it

Roles, Users , Privileges

How
SYS@oracle> show user; USER is "SYS"

SYS@oracle> select * from v$pwfile_users; USERNAME SYSDB SYSOP SYS TRUE TRUE

Roles, Users , Privileges

Making a normal user-? special

SYS@oracle> grant SYSDBA to rednick; Grant succeeded.

Check in v$pwfile_users

USERNAME ------------------------------ SYS REDNICK

SYSDB SYSOP -------TRUE TRUE TRUE FALSE

Roles, Users , Privileges

How to revoke?
SYS@oracle> revoke SYSDBA from rednick;

Revoke succeeded.

Check in v$pwfile_users

USERNAME ------------------------------ SYS

SYSDB SYSOP -------TRUE TRUE

The rights of user Rednick dissapear

Roles, Users , Privileges

GRANT, sintaxe
grant system_privilege to username; grant system_privilege_1, system_privileges_2, ..,system_privileges_n to username; grant system_privilege_1 to username with admin option; grant object_privilege to username; grant object_privilege to username with grant option; grant object_privilege to username with hierarchy option;

Roles, Users , Privileges

Sample
grant select, update on table_1 to user_1;

Roles, Users , Privileges

grant ... ANY ...

Privilegiu deplin, inclusiv pe obiectele SYS

with admin option

The privilege is given to another user by the actual one, aftter the latest one received it

Ref:
http://www.stanford.edu/dept/itss/docs/oracle/10g/server.101/b10759/statements_901 3.htm

Roles, Users , Privileges

REVOKE, sintaxe
Revoke system privs from users and roles Revoje users privs on objects Revoke roles from users

Roles, Users , Privileges

Sample:
REVOKE DROP ANY TABLE FROM hr; REVOKE DELETE ON orders FROM hr;

Ref:
http://stanford.edu/dept/itss/docs/oracle/10gR2/server.102/b14200/statements_9020.htm

Roles, Users , Privileges

Privileges
Def: one privilege is a right to execute a SQL command over an object from a different schema Privileges can be assigned to an user or a role

Roles, Users , Privileges

Most important privileges:

create session (till 9i, an user couldnt log and got ORA-01045). create table create view create procedure sysdba sysoper

Roles, Users , Privileges

Privileges over
Tables select, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, all Views select, insert, update, delete, under, references, flashback, debug Sequence alter, select Packeges, Procedures, Functions (Java classes, sources...) execute, debug Materialized Views delete, flashback, insert, select, update Directories read, write Libraries execute User defined types execute, debug, under Operators execute Indextypes execute

Roles, Users , Privileges

! One user can access an object from a different schema only having the right role or privs Privileges can be found in
all_tab_privs_made & user_tab_privs_made

Roles, Users , Privileges

System privileges can be given to users and roles

The privs: sysdba can not be givven to PUBLIC role

Roles, Users , Privileges

Roles Def: Roles in Oracle

Increase the flexibility in database administration When a big number of users-users objects exists a specific role is required.

Roles, Users , Privileges

sample:
SQL> Create role select_data_role; SQL> Grant select on emp, dept, bonus to select_data_role; After an role has specific privs, the role can be assigned to a user SQL> GRANT select_data_role TO Rednick;

Roles, Users , Privileges

Limitation:
Even if the privs can be assigned to objects from different schmea, in PL_SQL programs this is impossible Only direct dependence is permitted

Roles, Users , Privileges

Sintaxe for role creation

create role role-name; create role role-name identified by password; create role role-name identified using package-name; create role role-name identified externally; create role role-name identified globally;

Roles, Users , Privileges

Role: PUBLIC
It is created by sql.bsq during the database creation

create role public / This role is not visible in dba_roles Any privs given to PUBLIC becomes a privs to any user from the database

Roles, Users , Privileges

Predifined Roles : delete_catalog_role, execute_catalog_role, select_catalog_role exp_full_database, imp_full_database aq_user_role, aq_administrator_role, global_aq_user_role(?) logstdby_administrator snmpagent recovery_catalog_owner hs_admin_role oem_monitor, oem_advisor scheduler_admin gather_system_statistics plustrace xdbadmin xdbwebservices ctxapp

Roles, Users , Privileges

Predefined role:

!t

ill version 9i the role connect was given to a user

in order to log to the database

Roles, Users , Privileges

Conclusions: GRANT vs REVOKE CREATE vs DROP Security enhanced if Grants are given to Roles System privs have globa access Each object has an owner-user

Oracle Database organization

Physic

Logical

Oracle Database organization

Physic OS files OS block

Oracle Database organization

Physic Database ->tablespaces->segment->datablock Relation e de 1,m

Oracle Database organization

Physic
Database create database test logfile group 1 ('/path/to/redo1.log') size 100M, group 2 ('/path/to/redo2.log') size 100M, group 3 ('/path/to/redo3.log') size 100M character set WE8ISO8859P1 national character set utf8 datafile '/path/to/system.dbf' size 500M autoextend on next 10M maxsize unlimited extent management local sysaux datafile '/path/to/sysaux.dbf' size 100M autoextend on next 10M maxsize unlimited undo tablespace undotbs1 datafile '/path/to/undotbs1.dbf' size 100M default temporary tablespace temp tempfile '/path/to/temp01.dbf' size 100M

Ref:
http://www.adp-gmbh.ch/ora/sql/create_database.html

Oracle Database organization

Physic Tablespaces
create tablespace ts_something logging datafile '/dbf1/ts_sth.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;

Ref:
http://www.adp-gmbh.ch/ora/sql/create_tablespace.html

Oracle Database organization

Physic Temporary Tablespaces

create temporary tablespace temp_mtr tempfile '/dbf1/mtr_temp01.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;

Oracle Database organization

Physic

!
Temp Tablespaces have tempfiles and not datafiles

Oracle Database organization

Physic Segment: is an object container:

table table partition index index partition cluster rollback deferred rollback temporary cache lobsegment Lobindex

Oracle Database organization

Physic Segments split in 4 categ: data segments: table si cluster index rollback temporary data

Oracle Database organization

Physic Segment creation CREATE ROLLBACK SEGMENT segm_1 TABLESPACE tbs_1 STORAGE ( INITIAL 10K NEXT 10K MAXEXTENTS UNLIMITED );

Oracle Database organization

Physic Extent Def Is a logical unit from an continue number of data blocks. One or more "extent" make a segment. When the segment is fully used , Oracle creates another one

Oracle Database organization

Physic How to ? Space over extent When a table is created, an initial extent with a predifined data blocks . Even if the table do not have any records, data blocks are reserverd

Oracle Database organization

Physic Oracle Data Block Rep the lowest logical unit for I/O

DB_BLOCK_SIZE : 2kb <-> 32 kb

Default DB_BLOCK_SIZE = 8kb

Oracle Database organization

Views: dba_tablespace; v$tablespace; Data files: dba_data_files; v$datafile; Temporary files: dba_temp_files; v$tempfile;

Oracle Database organization

sample:
select TABLESPACE_NAME, INITIAL_EXTENT, NEXT_EXTENT, MIN_EXTENTS, MAX_EXTENTS, PCT_INCREASE, STATUS, CONTENTS from dba_tablespaces order by TABLESPACE_NAME

Oracle Database organization

Deletion of tablespace:
Drop tablespace

Oracle Database organization

Steps:
1. datafiles of a tablespace SELECT file_name, tablespace_name FROM dba_data_files WHERE tablespace_name =<tablespace name>;

Oracle Database organization

2. Deletion:
DROP TABLESPACE <tablespace name> INCLUDING CONTENTS AND DATAFILES; Referinte:
http://download.oracle.com/docs/cd/B19306_01/server.102/b14220/logical. htm#i4896

Oracle Database organization

Logical: Schema: All objects of a specific user: tables,views, sequence procedures, synonyms , index, clusters, and "database links".

Oracle Database organization

Logical: Cluster Partition Table Index

Oracle Database organization

Logical: Cluster "Create cluster privs and having a system tablespace with unlimited space

Oracle Database organization

Logical: Cluster In order to create a cluster in a different schema, what privs is required? CREATE _ _ _ CLUSTER

Oracle Database organization

logical: Cluster , Example:

CREATE CLUSTER emp_dept (deptno NUMBER(3)) SIZE 600 TABLESPACE users STORAGE (INITIAL 200K NEXT 300K MINEXTENTS 2 PCTINCREASE 33);

Ref:http://download.oracle.com/docs/cd/B19306_01/server.10 2/b14200/clauses009.htm

Oracle Database organization

Logical: Clause Cluster:

CREATE TABLE emp ( empno NUMBER(5) PRIMARY KEY, ename VARCHAR2(15) NOT NULL, ... deptno NUMBER(3) REFERENCES dept) CLUSTER emp_dept (deptno);

CREATE TABLE dept ( deptno NUMBER(3) PRIMARY KEY, . . . ) CLUSTER emp_dept (deptno);

Oracle Database organization

Logical: Partition Def: big volumes of data manipulation by splitting them over a specific characteristic.

Oracle Database organization

Logical: Sample Sintaxe: Create table xyz. partition by range

Oracle Database organization

Logical: Partition 1 select sum(val) from sales where year=1991; select product,sum(val) from sales where year=1992 group by product;

Oracle Database organization

2.
create table sales (year number(4), product varchar2(10), val number(10,2)) partition by range (year) partition p1 values less than (1992) tablespace u1, partition p2 values less than (1993) tablespace u2, partition p3 values less than (1994) tablespace u3, partition p4 values less than (1995) tablespace u4, partition p5 values less than (MAXVALUE) tablespace u5

Oracle Database organization

3. Obs:
There are no bigger value than MAXVALUE., where MAXVALUE is max(col) If partition p4 didnt exist we couldnt insert dates bigger than 1995

Security

Security Authentication Authorization Security policies Database audit

Security

Auth At OS network Oracledb

Security

Auth
OS

So auth then sqlplus / OS in DB with schema Reverse : DB users in LDAP auth with EUS

Securitatea bazei de date

Auth
Network

3rd parties: SESAME, KERBEROS, DCE

Remote : Remote Dial-In User Service (RADIUS)

Security

Auth Oracle db DES (Data encryption standard) password encryption Password policy and grace logins Lost password policy

Security

Auth Oracle db Password Check/validation

min 4 chars Oracle123 not! One char : semantic: ?! Not to be a reserved name Different from the last password

Security

DB Security Authorization Having ???

Security

Db Security

Security policies At OS At data integrity At users level Password management

Security

Db Security OS

More dba(group) Specialized on different operations DDL, create/drop database . create/drop table

Security

DB Security Security policies Data integrity DDL : grant/revoke DML : insert/update/delete

Security

Db Security Security policies At DBA level, At : SYSDBA, SYSOPER roles At normal users

Security

Db security Security policies: password management

Q/A
email: emanuil.rednic@gmail.com