Monthly Archives: April 2011

Find User with unlimited Tablespace Quota

When performing a database security audit various informations about users, roles and privileges have to be collected, including “who has unlimited tablespace on SYSTEM”. It is quite easy to find user with UNLIMITED TABLESPACE or a UNLIMITED quota on SYSTEM. But what when the system privilege is assigned to a role or over several roles? It is still easy if you use hierarchical queries to drill down the cascaded roles, but there is plenty to write.

Ok, why do we want to know who has unlimited quota on the SYSTEM tablespace?

User who have unlimited quota on SYSTEM as well the privilege to create tables or clusters could do some kind of denial of service attack to the database. The just have to fill up the free space in the SYSTEM tablespace. If there default tablespace is as well SYSTEM the could even do this without intention.

Then let’s find them

First find the user with direct quota on tablespace SYSTEM.

SELECT username,tablespace_name, bytes, max_bytes
FROM dba_ts_quotas
WHERE max_bytes = -1 AND tablespace_name ='SYSTEM';

USERNAME TABLESPACE_NAME BYTES MAX_BYTES
------------------------- ------------------------- ---------- ----------
SCOTT SYSTEM 0 -1
TEST SYSTEM 0 -1

As mentioned above it is quite easy to find user with system privilege UNLIMITED TABLESPACE.

SELECT * FROM dba_sys_privs WHERE privilege = 'UNLIMITED TABLESPACE'

GRANTEE PRIVILEGE ADM
------------------------------ ------------------------------ ---
WMSYS UNLIMITED TABLESPACE NO
RRDOMREG UNLIMITED TABLESPACE NO
HR UNLIMITED TABLESPACE NO
OE UNLIMITED TABLESPACE NO
SYS UNLIMITED TABLESPACE NO
LOGSTDBY_ADMINISTRATOR UNLIMITED TABLESPACE NO
SCOTT UNLIMITED TABLESPACE NO
BI UNLIMITED TABLESPACE NO
OUTLN UNLIMITED TABLESPACE NO
DBSNMP UNLIMITED TABLESPACE NO
IX UNLIMITED TABLESPACE NO
SH UNLIMITED TABLESPACE NO
DBA UNLIMITED TABLESPACE YES
SYSTEM UNLIMITED TABLESPACE YES

14 ROWS selected.

What about cascaded roles?

Mmh, but since Oracle 11g it is possible to grant UNLIMITED TABLESPACE to a role and this can be granted to an other role which is granted again to an other role. It could be a role concept or somebody who want to hide a little bit some privileges. To test it I’ve created three roles DBA3, DBA2 and DBA1, granted UNLIMITED TABLESPACE to DBA3.

SELECT
grantee,
privilege,
DECODE(p,'=>'||grantee,'direct',p) path
FROM (
SELECT
grantee,
privilege,
SYS_CONNECT_BY_PATH(grantee, '=>') p
FROM (
SELECT
grantee,
privilege
FROM dba_sys_privs
UNION ALL
SELECT
grantee,
granted_role privilege
FROM
dba_role_privs)
START WITH privilege = 'UNLIMITED TABLESPACE'
CONNECT BY PRIOR grantee = privilege )
WHERE
(grantee IN (SELECT username FROM dba_users)
OR grantee = 'PUBLIC');

GRANTEE PRIVILEGE PATH
--------- ----------------------- -------------------------------
BI UNLIMITED TABLESPACE direct
SYS DBA =>DBA=>SYS
SYSTEM DBA =>DBA=>SYSTEM
SCOTT DBA1 =>DBA3=>DBA2=>DBA1=>SCOTT
SYS DBA1 =>DBA3=>DBA2=>DBA1=>SYS
SYS DBA2 =>DBA3=>DBA2=>SYS
SYS DBA3 =>DBA3=>SYS
DBSNMP UNLIMITED TABLESPACE direct
HR UNLIMITED TABLESPACE direct
IX UNLIMITED TABLESPACE direct
SYS LOGSTDBY_ADMINISTRATOR =>LOGSTDBY_ADMINISTRATOR=>SYS
OE UNLIMITED TABLESPACE direct
OUTLN UNLIMITED TABLESPACE direct
RRDOMREG UNLIMITED TABLESPACE direct
SH UNLIMITED TABLESPACE direct
SYS UNLIMITED TABLESPACE direct
SYSTEM UNLIMITED TABLESPACE direct
WMSYS UNLIMITED TABLESPACE direct

18 ROWS selected.

We now see that SCOTT has UNLIMITED TABLESPACE through DBA3, DBA2 and DBA1

All wrapped up

Ok, create one to find user’s with direct quotas as well through a system privilege will give something like this.

SELECT
username,
tablespace_name,
privilege
FROM (
SELECT
grantee username, 'Any Tablespace' tablespace_name, privilege
FROM (
-- first get the users with direct grants
SELECT
p1.grantee grantee, privilege
FROM
dba_sys_privs p1
WHERE
p1.privilege='UNLIMITED TABLESPACE'
UNION ALL
-- and then the ones with UNLIMITED TABLESPACE through a role...
SELECT
r3.grantee, granted_role privilege
FROM
dba_role_privs r3
START WITH r3.granted_role IN (
SELECT
DISTINCT p4.grantee
FROM
dba_role_privs r4, dba_sys_privs p4
WHERE
r4.granted_role=p4.grantee
AND p4.privilege = 'UNLIMITED TABLESPACE')
CONNECT BY PRIOR grantee = granted_role)
-- we just whant to see the users not the roles
WHERE grantee IN (SELECT username FROM dba_users) OR grantee = 'PUBLIC'
UNION ALL
-- list the user with unimited quota on a dedicated tablespace
SELECT
username,tablespace_name,'DBA_TS_QUOTA' privilege
FROM
dba_ts_quotas
WHERE
max_bytes = -1 )
WHERE tablespace_name LIKE UPPER('SYSTEM')
OR tablespace_name = 'Any Tablespace';

USERNAME TABLESPACE_NAME PRIVILEGE
------------------------- ------------------------- ------------------------------
...
SYSTEM Any Tablespace UNLIMITED TABLESPACE
SYS Any Tablespace DBA
SYSTEM Any Tablespace DBA
SCOTT Any Tablespace DBA1
SYS Any Tablespace DBA1
SYS Any Tablespace DBA2
SYS Any Tablespace DBA3
SYS Any Tablespace LOGSTDBY_ADMINISTRATOR
TEST SYSTEM DBA_TS_QUOTA

19 ROWS selected.

Due to the fact that the query is far to long to write more than one time, I’ve put everything in one script.

@tsq SYSTEM

USER Name Tablespace Name Privilege
------------- ---------------------- -------------------------
BI Any Tablespace UNLIMITED TABLESPACE
DBSNMP Any Tablespace UNLIMITED TABLESPACE
HR Any Tablespace UNLIMITED TABLESPACE
IX Any Tablespace UNLIMITED TABLESPACE
OE Any Tablespace UNLIMITED TABLESPACE
OUTLN Any Tablespace UNLIMITED TABLESPACE
....

The tsq.sql script can be downloaded at the script section of OraDBA or direct ( tsq.sql). All OraDBA scripts can also be downloaded as a complete archive ( oradba.tgz).

Mac OS X Terminal Compatibility Settings

I start using iTerm rather than Terminal to work on the command line. In my opinion it is much more powerful to setup some window groups. Several tabs and/or windows can be stored and managed as bookmarks. The manipulation of window and tab title seams also a bit easier. But that is not the topic of this post

When working on the command line I also use TVDBasenv. Starting a new session always display the status of environment / databases.

Last login: Tue Apr 26 22:17:55 on ttys014

Down/dummy : rdbms1020 rdbms1020IC

Listener : Down

user@host:~/ [rdbms1020IC]

Unfortunately in iTerm this does not work in the same way as in Terminal.

Last login: Tue Apr 26 21:52:17 on ttys010
ps: illegal option -- f
usage: ps [-AaCcEefhjlMmrSTvwXx] [-O fmt | -o fmt] [-G gid[,gid...]]
[-u]
[-p pid[,pid...]] [-t tty[,tty...]] [-U user[,user...]]
ps [-L]

Down/dummy : rdbms1020 rdbms1020IC

Listener : Down

user@host:~/ [rdbms1020IC]

I first thought that the two Application are using a different PATH and therefore a different ps. But all the following test have shown the same output on both environments.

user@host:~/ [rdbms1020IC] which ps
/bin/ps

user@host:~/ [rdbms1020IC] type -a ps
ps is /bin/ps

The comparison of the environment variables finally showed a few differences.

diff iterm.txt terminal.txt
...
< COLORFGBG=0;15
< COMMAND_MODE=legacy
---
> COMMAND_MODE=unix2003
< TERM_PROGRAM=iTerm.app
---
> TERM_PROGRAM=Apple_Terminal
> TERM_PROGRAM_VERSION=273.1
...

It seams that COMMAND_MODE does the trick. In iTerm it is set to legacy while Terminal is using unix2003. So setting COMMAND_MODE to legacy cause utility programs like ps to behave as closely to Mac OS X 10.3′s utility programs, while setting it to unix2003 causes utility programs to obey the Version 3 of the Single UNIX Specification (SUSv3).

To fix my issue I simply have to add COMMAND_MODE=unix2003 to my .bash_profile.

More information on manipulating the compatibility settings can be found in
man 5 compat

Script to download Oracle Patch

Downloading Oracle software, patch or patch-set via web browser is handy if you need the software on your client PC or if you just download small patch’s. As soon as you want, however, download a greater volume of patches or a large patch set, it gets cumbersome. After downloading the patch must be copied to the target system. All steps could be quite time consuming depending on your network throughput.

WGET Option

Since a while it is possible to select a WGET Option in the download dialog rather than downloading each file individual (red box in the picture below).

In a new dialog box you then my download or copy the wget download script for the selected patch’s.

Before starting the download via script the MOS credential have to be modified eg. SSO_USERNAME=youraccount
SSO_PASSWORD=yourpassword

But…

So far so good, but currently it is now working. According to Oracle Support this is a known issue and there is the Bug 12372706: WGET SCRIPTS FROM MOS FAIL IN PRODUCTION.

To workaround each file has to be downloaded manually with wget.

wget --http-user=username --http-password=password --no-check-certificate \
--output-document=filename "paste the above copied address here in quotes"

The URL’s can be copied from the download dialog above. If more than just one patch have to be downloaded wget can be put in a for loop which get’s the URL’s from a text file.

Download URL’s

Text File with Patch URL’s

#Linux x86-64
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_1of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_1of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_2of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_2of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_3of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_3of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_4of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_4of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_5of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_5of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_6of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_6of7.zip
https://updates.oracle.com/Orion/Services/download/p10098816_112020_Linux-x86-64_7of7.zip?aru=13149219&patch_file=p10098816_112020_Linux-x86-64_7of7.zip

Download more patch

For loop to download the patch’s:

for i in $(cat download_url.txt|grep -v ^#)
do
OUTPUT_FILE=$(echo "$i"|cut -d= -f3)
echo "download $OUTPUT_FILE from '$i'" >> $LOGFILE 2>&1
wget --http-user=MOS_USER --http-password=MOS_PASSWORD --no-check-certificate \
-O $OUTPUT_FILE "$i" >> wget_logfile.log 2>&1
done

MOS Download Script

I’ve put everything in a small script. To download the patch a text with the download URL’s have to be specified

mos_download_url.sh -h
INFO : Usage, mos_download_url.sh [-hv]
INFO : -h Usage (this message)
INFO : -u <user> MOS user account
INFO : -p <password> MOS password
INFO : -f <file> Text file with download url
INFO : Logfile : mos_download_url.sh-04-22-11-1422.log
</file></password></user>

Run the script with nohup on a stage server to download a few patchs.

nohup mos_download_url.sh -u me@domain.com -p secret -f download_url.txt &

The mos_download_url.sh script can be downloaded in the script section of OraDBA or direct ( mos_download_url.sh).

Oracle Database Firewall Test Environment

I’ve tried to have a closer look into the new Oracle Database Firewall. Unfortunately I’ve struggled around already with the installation or more with the setup of the test environment. But lets start at the beginning. According to the Installation Guide Oracle® Database Firewall Installation Guide Database Firewall and Management Server has the following hardware requirements:

Oracle Enterprise Linux 5 Update 5
1 GB Memory
80 GB of disk space
Three network ports

First Steps

Because I planned to set up the Database Firewall in in-line mode, therefor I’ve decided to setup three VM’s. a Database Server, a Windows Client and the Database Firewall VM (see picture further down). All VM’s has been configured with network interface type host-only. I’ve just assumed that the TCP/IP network (eg. subnet’s) can be configured a bit later and I’ve “overread” that the Database Firewall is working as a network bridge rather than a router. So I’ve ended up with a network bridge where both ports have been connected to the same switch. If I would have to setup the test environment physically I would never get the idea to do this

Solution

Configure the in-line mode means setting up a transparent network bridge between two physical separated network. The IP network is the same as without Database Firewall.

For my test environment on VMWare Fusion I’ve created a second host-only network vmnet2. VMWare Workstation has a utility to add more network’s but on VMWare Fusion this has to be done manually (config files or with tokamak.sh). This second network has the same IP range and network mask as the vmnet1, but it is only available through the database firewall. That means on the host system is no routing configured.
As you can see in the image below, the Database VM and on interface of the Database Firewall are configured to use vmnet2. The two other interface on the Database Firewall as well the Windows Client VM are configured to use vmnet1.

Demo Infrastruktur

As soon as the VM’s are configured with the right networks, it is an easy task to install and configure the Database Firewall according the short Documentation (Installing Oracle Database Firewall ).

Since I have now a running test environment I’ll start to make a few test with the Database Firewall. Stay tuned to read more….

Oracle CPU Pre-Release Announcement – April 2011

Late last week Oracle published the Oracle Critical Patch Update Pre-Release Announcement – April 2011. The official Oracle Critical Patch Update for April 2011 will be released somewhen on the 19th of april.

This CPU includes up to 73 security fixes for all kind of Oracle products. 6 out of them are just forfor the Oracle Database Server. 2 of these vulnerabilities may also be remotely exploitable without authentication. Due to the fact that the highest CVSS score for the database security fixes is just 6.5 this CPU does not look as critical as others. But to make a clear statement we have to wait for the official release of the patch’s. As soon as they are available I’ll make some tests.

More information on the CPU and Oracle Security:

Critical Patch Updates and Security Alerts)
On this blog as soon as I could have a closer look into the CPU

Oracle Database Firewall Test Environment

I’ve screwed up somehow this post and created a new one Oracle Database Firewall Test Environment. This is mini post is just to make sure that an already published permalink does not points to /dev/null…