ALTER SESSION Privilege Allows Dump of Trace Files Holding Potentially Sensitive Data

Creation Date: 10-SEP-2002
Last Revision Date: 09-OCT-2002

This alert warns users that ALTER SESSION privilege can produce trace files which may show sensitive data, such as literal password changes issued by other users. It also covers details of the risks of allowing access to trace files.

DESCRIPTION

There are key precautions that should be taken in order to prevent malicious users from obtaining sensitive information via trace files. In general:

• Read access to trace files should be strictly limited to trusted users.
• Users should be granted minimal privileges required to perform their tasks. In particular ALTER SESSION privilege allows users to produce diagnostic trace files, which may contain sensitive data.

PRODUCTS AFFECTED

All supported Oracle Database releases up to and including Oracle9i Database Release 2.

PLATFORMS AFFECTED

All

PATCH AVAILABILITY

There are no patches available. This is not an Oracle bug. This alert is published to raise awareness of the risks involved in poor management of privileges and access to trace files.

SOLUTION

Use the least privilege principle. Set permissions on the host operating system such that only trusted users can access trace files and the init.ora file, especially in production environments.

Refer to the Oracle9i Database Release 2 Secure Configuration Guide or Security Checklist on OTN for the version of the database you run. Excerpt:

[Ensure] that when providing a path or file to the database, neither the file nor any part of the path is modifiable by an untrusted user. The file and all components of the path should be owned by the DBA or some trusted account, such as root. This recommendation applies to all types of files: data files, log files, trace files, external tables, bfiles, etc.

Dumping sensitive information

Note that the default CONNECT role includes the ALTER SESSION privilege. Users granted the CONNECT role can be identified using the SQL:
SELECT * FROM dba_role_privs WHERE granted_role=CONNECT;

Other less obvious ways that a user can force a trace file to be produced include:

• Execute privilege on DBMS_SYSTEM allows dumps of trace files.
• If the EVENT parameter has been set at a system wide level to collect diagnostic information on a particular error then a user may force that error in order to generate a trace file.
• Some errors, especially internal errors, can produce diagnostic trace files. Users may be able to force such an error to occur. As there are several ways that sensitive data may be dump it is important to limit access to trace files as described below.

Access to trace files

Only trusted users should be allowed read access to trace files. These trace files generally are generated in locations set by init.ora parameters:

• background_dump_dest
• user_dump_dest
• core_dump_dest You are advised to check (and monitor) the following:
• The _TRACE_FILES_PUBLIC init.ora parameter should not be set to a value true, as Oracle subsequently creates publicly accessible trace files.
• Ensure that the UTL_FILE_DIR value parameter is different from your trace file destination and do not use generic values like * as its value. (UTL_FILE_DIR=* has a special meaning. This turns off directory checking and makes all directories accessible to the UTL_FILE).
• Ensure users do not have CREATE DIRECTORY privilege as this can allow users to create a DIRECTORY which points at the trace file location. This can subsequently be used to access the trace files (e.g.: via a BFILE or by creating an EXTERNAL TABLE).
• Ensure trace directories are not on exported or remote mountable file systems.

Summary

Be careful which privileges are granted to which users and limit access to tracefiles.