ALTER SESSION Privilege Allows Dump of Trace Files Holding Potentially Sensitive Data
Creation Date: 10-SEP-2002
Last Revision Date: 09-OCT-2002
This alert warns users that ALTER SESSION privilege can produce trace files which may show sensitive data, such as literal password changes issued by other users. It also covers details of the risks of allowing access to trace files.
There are key precautions that should be taken in order to prevent malicious users from obtaining sensitive information via trace files. In general:
All supported Oracle Database releases up to and including Oracle9i Database Release 2.
There are no patches available. This is not an Oracle bug. This alert is published to raise awareness of the risks involved in poor management of privileges and access to trace files.
Use the least privilege principle. Set permissions on the host operating system such that only trusted users can access trace files and the init.ora file, especially in production environments.
Refer to the Oracle9i Database Release 2 Secure Configuration Guide or Security Checklist on OTN for the version of the database you run. Excerpt:
[Ensure] that when providing a path or file to the database, neither the file nor any part of the path is modifiable by an untrusted user. The file and all components of the path should be owned by the DBA or some trusted account, such as root. This recommendation applies to all types of files: data files, log files, trace files, external tables, bfiles, etc.
Dumping sensitive information
SELECT * FROM dba_sys_privs WHERE privilege='ALTER SESSION';
Note that the default CONNECT role includes the ALTER SESSION privilege. Users granted the CONNECT role can be identified using the SQL:
SELECT * FROM dba_role_privs WHERE granted_role=CONNECT;
Other less obvious ways that a user can force a trace file to be produced include:
Access to trace files
Only trusted users should be allowed read access to trace files. These trace files generally are generated in locations set by init.ora parameters:
Be careful which privileges are granted to which users and limit access to tracefiles.