Re: Breakable

[uid0 () catastrophe net]

On Thu, 2002-01-17 at 13:47:16 -0500, Jonathan A. Zdziarski wrote...

; 2. The database comes with a handfull of pre-existing "demo" accounts
; with preset passwords (e.g. SCOTT/TIGER, and a few others).

True, but linuxes now come with accounts susceptible to being owned by SSHD
exploits (the "!!" as passwords).

; 3. Shell commands can by default be executed by a connected sqlplus
; user, without any 
; particularly special privileges.  For example:
; 
; SQL> !pwd
; /export/home/jonz
; 
; SQL> host
; $

You're local at this point -- just as you can break out of ftp clients.

; 4. Auditing is turned off by default

As it is under most UNIXes.
  
It seems like the whole argument about this is "best practice", and in that 
regard, no - you shouldn't be putting databases out there UNLESS you have a
clue. And if not, get owned.

It's one thing to make comments on an end-user operating system such as
certain Microsoft products (if not all), but Oracle is intended to be run in
production, on wonderful hardware, with lots of money paid. Surely you
wouldn't hire some junior administrator to install and configure it. And if
so, you get what you pay for.

-#0