I need to know if somebody can read and save to oneself packages from my database, Oracle specifically. Can I prevent it?
I mostly worry about tools like "Export schema" of Toad. How can I know somebody didn't something like exporting my database structure?
You want to obfuscate your code? Oracle calls it wrapping: http://www.comp.dit.ie/btierney/oracle11gdoc/appdev.111/b28370/wrap.htm
Oracle can log many things like who accesses the system, who executes certain packages and procedures, who accesses data etc. The facility is called Auditing or Fine Grained Auditing. Just have a look at the documentation for the AUDIT command.
Having said that, it needs to be turned on explicitly. So if it hasn't been turned on yet, then you won't find any audit information for the past.
For the future, it's probably easier to restrict the access rights of your users to prevent them from doing it than to identify all the functions and places that would require auditing.
Your question is slightly vague... are you the owner (DBA) of the Database? What version of Oracle is it? Are there other DBA's?
Anyway.
Since most users can only export their own schema by default and only DBA's and users specifically granted the EXP_FULL_DATABASE role will be allowed to export your schema. (Try to export somebody elses schema to see if you have privaleges to do this)
If you are the DBA you can make sure all other users don't have the EXP_FULL_DATABSE role. However, if there are other DBA's they will be able to export your schema.
See below for an explanation of how Import / Export works?
To use Export and Import, you must
have the CREATE SESSION privilege on
an Oracle database. This privilege
belongs to the CONNECT role
established during database creation.
To export tables owned by another
user, you must have the
EXP_FULL_DATABASE role enabled. This
role is granted to all database
administrators (DBAs).
If you do not have the system
privileges contained in the
EXP_FULL_DATABASE role, you cannot
export objects contained in another
user's schema. For example, you cannot
export a table in another user's
schema, even if you created a synonym
for it.
Sorry it's a little vague but I hope it helps.
Related
Question: As a DBA/BI Developer, should we install SSMS on the PCs of power-users of business data? What are the risks with this approach?
Context: I love SSMS. It's ergonomically designed and enables not just the exploration and management of the SQL Server, but also the data within it (e.g. select/edit rows)
Our business users are not interested in the server, just the data. Some of them grasp the data models but are limited in what they can do with the data by the production system interfaces. We are initiating BI projects to improve data access in the medium-term.
In the short-term, a quick install of SSMS 2014, a Windows Authenticated Login and User with minimum required permissions, and some training would appear to satisfy some of our data management requirements. Some of the users can already write basic SQL.
You can do it but you cannot grant the users anything but very limited permissions. Do not grant the dbo privileges or even worse SA. Take the time to really lock down what they can do (except for select) and be very careful about what SQL server groups you put them in (if any).
Even on selects you should think about (i.e. don't do it) putting them in the db_datareader group which will allow them to read any table in the database. You can revoke permissions but you may forget to revoke read from at view they shouldn't see. I would grant them limited permissions and as they complain add, if appropriate, more permissions.
I'm looking for links, or an answer here, on to how to properly configure the database permissions to secure a Django app? To be clear, I'm looking specifically for material dealing with grants on the database, not permissions within the Django framework itself.
From the django docs:
https://docs.djangoproject.com/en/dev/topics/install/
If you plan to use Django’s manage.py syncdb command to automatically create database tables for your models (after first installing Django and creating a project), you’ll need to ensure that Django has permission to create and alter tables in the database you’re using; if you plan to manually create the tables, you can simply grant Django SELECT, INSERT, UPDATE and DELETE permissions. On some databases, Django will need ALTER TABLE privileges during syncdb but won’t issue ALTER TABLE statements on a table once syncdb has created it. After creating a database user with these permissions, you’ll specify the details in your project’s settings file, see DATABASES for details.
I've just tested initial setup with MySQL. For python manage.py migrate at least you need following grants for simple operation (if yo use db-preparation):
CREATE, ALTER, INDEX
SELECT, UPDATE, INSERT, DELETE
And, by the way - security matters. You can reduce attack impact by limiting your system exposure. In this case - you can restrict 'DROP' - which is fairly huge plus. If you leave some tricky hole with ability to SQL-inject - you probably reduce the damage. I will research in the future if it will not do any harm to remove DELETE keyword - that would limit potential threats as well. Just because we all leave bugs from time to time :)
I usually:
grant all privileges on my_db.* to my_user#localhost identified by 'my_user_pass'
grant all privileges on test_my_db.* to my_user#localhost identified by 'my_user_pass'
I suppose if there were a bug in django, you might be opening your database up to terrible things, but you'd have other problems if there were that big of a security hole in django.
django minimally needs select, insert, update, and delete, to operate. If you're using test or syncdb at all, you'll also need to be able to create tables, and indexes (and maybe the file permission for loading sql fixtures).
So, for a mysql db, I'd guess the optimal set of permissions might be select, insert, update, delete, create, index, and file. If you wanted to get real nitty-gritty, you could selectively grant these permissions as appropriate on the table level (rather than the db level).
Personally, I find grant all ... easier to type.
What's the purpose of configuring permissions on DB level? If your server is compromised then the attacker will be able to do anything with your database (because he has the login/pass) and permissons won't help. If your server is secured then permissions are useless.
Permissions can make sense if your DB server is available from the outer world, but it is not a good idea to do so.
I use schemas in my databases, but other than the security benefits and the fact that my OCD is happy, I don't really know whay it is good practice to use them. Besides the more granular security, are there other reasons for using schemas when building a database?
The primary pupose of schemas is indeed security. A secondary benefit is that they act like namepaces for your application tables and objects, thus allowing a conflict free side-by-side deployment with other applications that may use same names for its object.
Schema's arose from the original Sql Server. They didn't have schemas which meant that every single object in the database had to be owned by someone. If jill from accounting left the company then you had to manually reassign all her stuff to someone else etc. Schemas now own objects and users belong to schemas, which makes all the DB Admins very happy people :).
Basically you can have users leave and you remove their privileges by removing them from schemas and deleting the user. Adding privileges to a user is now as simple as adding the user to the schema.
We have some corporate intranet users using a WinForms app to work on a system with SQL server behind. Integrated Security is setup, allowing all users update and delete permissions, where application security limits how and where table updates take place.
However, some users are power users with SQL query tools at their disposal, and access the DB directly for building reports. However, with integrated security, they have default update rights on tables where they should not have, as the application apply rules to the updates.
Is this an example of where it's more appropriate providing the app with a central SQL authenticated login, whilst users get read only rights for integrated security?
As Jon mentioned stored procedures would give you the protection over direct table modifications. There are other options too. You can use SQL Server's "Application Role" (via sp_setapprole proc). This enables you to continue to use a separate ID for everyone but only at application connection time (through the front-end) are the user's rights elevated.
A major downside to using a shared ID is you lose track of who is submitting SQL to the server though if they're all internal you can get to the machine name.
Something else is concerning though. It sounds as if your users can connect to the database and run queries at will. You run a major risk of downtime in the application due to user behavior in the directly connected SQL sessions. If you can pull it off you may want to try to have a reporting database created that is updated at intervals that your business can tolerate, i.e., daily. HTH
I presume from the way that you've worded your question that your app executes sql statements directly. If you could refactor it so that it executes stored procedures, you could grant exec rights on the procedures and deny direct updating of the tables. This might not be possible though, depending on what your app does.
sql authentication is one option. Stored procedures are another. However, building more granular roles for assigning just the appropriate permissions to just the appropriate user types is where you should really be looking.
Additionally, I would really avoid giving these users direct access to the DB at all. Security reasons aside, it doesn't take much for a user who isn't proficient in SQL to accidentally execute a query that will swamp your database server and create an effective denial of service. Even pros can do this accidentally from time to time.
Instead, give them access to a reporting services or analysis services type solution, or use replication to give them access to a clone of the data. This way your production system is protected.
Personally I would do all application data access through stored procedures. I would set Integrated security to only allow users to run the SP's and not manipulate the data directly.
Advanced access can be given to DB admins to manipulate the data directly when needed.
Group based permissions will provide you with much more flexibility for access rights, and less administrative burden when controlling these with integrated security.
Can anyone tell me if there are RDBMSs that allow me to create a separate database for every user so that there is full separation of users' data?
Are there any?
I know I can add UID to every table but this solution has its own problems (for example per user database schema changes are impossible).
Doesnt MySQL, PostgreSQL, Oracle and so on and so on allow you to do that?. There's the grant statements to control ACLs
I would imagine most (all?) databases allow you to create a user which you could then grant database level access to? SQL server certainly does.
Another simple solution if you don't need the databases to be massive or scalable, say for teaching SQL to students or having many testers work against their own database to isolate problems is SQLite, that way the whole database is a single file (per user), and each user cannot possibly screw up or interfere with other users.
They can even mail you the databases, or install them anywhere, say at home and at work with no internet required.
MS SQLServer2005 is one which can be used for multiple users.An instance can be created
if you have any, run the previlegs and use one user per instance
Oracle lets you create a separate schema (set of tables, indexes, functions, etc) for individual users. This is good if they should have separate different tables. Creating a new user could be a very expensive operation as you would be making new tables. Updating is a nightmare as well, as you need to update the model for each user.
If you want everyone to have the same set of tables, but only able to view their own records then you could use Fine Grain Access Control or Virtual Private Database features to do this.