|
Replies:
21
-
Pages:
2
[
1
2
| Next
]
-
Last Post:
Mar 17, 2008 1:02 AM
Last Post By: Aman....
|
|
|
Posts:
5
Registered:
10/11/05
|
|
|
|
Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 5:26 AM
|
|
|
|
hi,
I am using 9.2.0.1 db, my question is
Is there a way to prevent users from using EXP and IMP, by restricting access to some oracle objects or revoking system privileges?
tnx.
|
|
|
Posts:
4,877
Registered:
11/27/01
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 5:52 AM
in response to: toneebhoi
|
|
|
Hi,
In fact, any user that has the CREATE SESSION system privilege, are able to export your own objects. Otherwise, you can try prevent that users try to use exp or imp utilities creating a database trigger as demonstrated below:
SQL> create or replace trigger prevent_exp_imp
2 after logon on database
3 begin
4 if user='TEST' and upper(sys_context('userenv','module')) in ('EXP.EXE','IMP.EXE') then
5 raise_application_error (-20001, 'You are not allowed to export or import data.');
6 end if;
7 end;
8 /
Trigger created.
SQL> exit
Disconnected from Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
C:\>exp test/test file=test
Export: Release 10.2.0.1.0 - Production on Sun Jan 27 11:47:56 2008
Copyright (c) 1982, 2005, Oracle. All rights reserved.
EXP-00056: ORACLE error 604 encountered
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: You are not allowed to export or import data.
ORA-06512: at line 3
Username:
Cheers
Legatti |
|
|
Posts:
79
Registered:
09/19/05
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 6:05 AM
in response to: toneebhoi
|
|
|
|
If a database user does not have
EXP_FULL_DATABASE and/or IMP_FULL_DATABASE privilege she can not export and/or import full database.
Message was edited by:
lovelysanu
|
|
|
Posts:
9,934
Registered:
03/13/99
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 7:36 AM
in response to: Eduardo Legatti
|
|
|
While I agree that anyone not courteous enough to provide operating system info is probably using Windows so that might be a valid assumption, it should be noted that this will not work on Linux.
Same trigger, in linux:
oracle@instructor ~$ exp test/test
Export: Release 10.2.0.2.0 - Production on Sun Jan 27 07:27:55 2008
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining options
Enter array fetch buffer size: 4096 >
Export file: expdat.dmp >
(2)U(sers), or (3)T(ables): (2)U >
Export grants (yes/no): yes >
Export table data (yes/no): yes >
Compress extents (yes/no): yes >
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
server uses AL32UTF8 character set (possible charset conversion)
. exporting pre-schema procedural objects and actions
. exporting foreign function library names for user TEST
. exporting PUBLIC type synonyms
. exporting private type synonyms
. exporting object type definitions for user TEST
About to export TEST's objects ...
. exporting database links
. exporting sequence numbers
. exporting cluster definitions
. about to export TEST's tables via Conventional Path ...
. exporting synonyms
. exporting views
. exporting stored procedures
. exporting operators
. exporting referential integrity constraints
. exporting triggers
. exporting indextypes
. exporting bitmap, functional and extensible indexes
. exporting posttables actions
. exporting materialized views
. exporting snapshot logs
. exporting job queues
. exporting refresh groups and children
. exporting dimensions
. exporting post-schema procedural objects and actions
. exporting statistics
Export terminated successfully without warnings.
oracle@instructor ~$
Note that on Linux (OEL 4.5) and Oracle 10.2.0.3, we see
SQL> select distinct module from v$session;
MODULE
emagent@instructor.example.com (TNS V1-V3)
OEM.BoundedPool
exp@instructor.example.com (TNS V1-V3)
OEM.SystemPool
OMS
SQL*Plus
OEM.CacheModeWaitPool
8 rows selected.
SQL>
whereas the same query in Windows XP with 10.2.0.1 XE we see
SQL> select distinct module from v$session;
MODULE
SQL*Plus
exp.exe
|
|
|
Posts:
5,875
Registered:
09/24/06
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 10:33 AM
in response to: Eduardo Legatti
|
|
|
But be aware that it is easy to circumvent the prevention:
Just rename imp.exe to e.g. imp2.exe, then you'll have
SQL> select distinct module from v$session where module like 'imp%'
MODULE
------------------------------------------------
imp2.exe
and the trigger wouldn't raise any exception anymore ... |
|
|
Posts:
4,877
Registered:
11/27/01
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 3:25 PM
in response to: Hans Forbrich
|
|
|
|
Hi,
You are absolutely right. I didn't make a test on Linux/Unix boxes ...
Cheers
Legatti
|
|
|
Posts:
4,877
Registered:
11/27/01
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 3:31 PM
in response to: michaels2
|
|
|
Hi,
>>Just rename imp.exe to e.g. imp2.exe, then you'll have
You are right. It seems is too easy to bypass this procedure ... We need to think an another solution 
Cheers
Legatti |
|
|
Posts:
79
Registered:
09/19/05
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 7:52 PM
in response to: Eduardo Legatti
|
|
|
|
can't we control this by revoking any privilege from the user??
|
|
|
Posts:
9,934
Registered:
03/13/99
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 8:17 PM
in response to: lovelysanu
|
|
|
|
You can stop a user from exporting anything in 'other schemas' described by the privilege mentioned above.
But if you gave the person their own schema, it makes sense that they can export/import into that which they 'own'.
More detail might be available by asking Support.
|
|
|
Posts:
5
Registered:
10/11/05
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 27, 2008 11:03 PM
in response to: toneebhoi
|
|
|
|
this is the current setting i have, i created a specific role for the user
CREATE ROLE "USERNAME_DEFAULT_ROLE" NOT IDENTIFIED;
GRANT CREATE SESSION TO "USERNAME_DEFAULT_ROLE"
GRANT DELETE ANY TABLE TO "USERNAME_DEFAULT_ROLE"
GRANT EXECUTE ANY PROCEDURE TO "USERNAME_DEFAULT_ROLE"
GRANT INSERT ANY TABLE TO "USERNAME_DEFAULT_ROLE"
GRANT SELECT ANY SEQUENCE TO "USERNAME_DEFAULT_ROLE"
GRANT SELECT ANY TABLE TO "USERNAME_DEFAULT_ROLE"
GRANT UPDATE ANY TABLE TO "USERNAME_DEFAULT_ROLE"
CREATE USER "USERNAME" PROFILE "DEFAULT"
IDENTIFIED BY "dbnamei27r3blz" DEFAULT TABLESPACE "USERNAME"
TEMPORARY TABLESPACE "TEMP"
ACCOUNT UNLOCK;
GRANT UNLIMITED TABLESPACE TO "USERNAME";
GRANT "USERNAME_DEFAULT_ROLE" TO "USERNAME";
The USERNAME can be any user.
I can still export objects from the schema USERNAME using USERNAME user.
Sorry for the USERNAME thing.
I believe that any user can export or import to its own schema.
|
|
|
Posts:
5
Registered:
10/11/05
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 28, 2008 1:08 AM
in response to: Eduardo Legatti
|
|
|
|
Hi,
Thanks a lot to EDUARDO. Thanks also to the others!
The script he gave was very useful.
The SYS_CONTEXT('userenv','module') returned null. I believe that this may solve the problem i post if the Module will return the correct value. replacing IP_ADDRESS and OS_USER return correct values, but I can't use this two since it will not allow any other application to work.
What may be the problem why Module returns null?
The only reason that I could think of is that we are using Thin Clients and Remote Desktop. Session Details also do not work.
|
|
|
Posts:
5,205
Registered:
08/04/98
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 28, 2008 1:31 AM
in response to: toneebhoi
|
|
|
|
Do you think a thin client has exp.exe and imp.exe installed?
Isn't the solution simply do NOT install exp.exe and imp.exe on ALL clients?
--
Sybrand Bakker
Senior Oracle DBA
|
|
|
Posts:
5
Registered:
10/11/05
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 28, 2008 2:45 AM
in response to: sybrandb
|
|
|
|
i am not suggesting that the thin client has exp.exe and imp.exe installed. it is installed on windows server 2003.
not installing or uninstalling exp.exe and imp.exe may remove the problem for the machines it is installed on. still it won't solve the problem i posted.
i need to restrict the oracle user.
thanks for the comment anyway.
|
|
|
Posts:
4,877
Registered:
11/27/01
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 28, 2008 3:24 AM
in response to: toneebhoi
|
|
|
|
Hi,
>>I believe that any user can export or import to its own schema.
Exactly. Any user that has the CREATE SESSION system privilege, are able to export your own objects and perform imports ...
Cheers
Legatti
|
|
|
Posts:
235
Registered:
08/02/00
|
|
|
|
Re: Prevent the use of EXP and IMP for specified Oracle Users
Posted:
Jan 28, 2008 3:32 AM
in response to: toneebhoi
|
|
|
|
As an aside... even if you did find a way to stop individual users from exporting their own schema, if your goal here is a security-led measure to prevent them from being able to extract the table data then they're still going to be able to spool the output from a SQL*Plus session to a flat file and achieve the same results.
What are your specific requirements and, more importantly, why?
|
|
|
|
Legend
|
|
Guru : 2500
- 1000000
pts
|
|
Expert : 1000
- 2499
pts
|
|
Pro : 500
- 999
pts
|
|
Journeyman : 200
- 499
pts
|
|
Newbie : 0
- 199
pts
|
|
Oracle ACE Director
|
|
Oracle ACE Member
|
|
Oracle Employee ACE
|
|
Helpful Answer
(5 pts)
|
|
Correct Answer
(10 pts)
|
|
