We have a terminal server that has two copies of our application: a live version, and a test version.
These are 2 icons on the users desktop. Now when you launch the application, you type in the name of the oracle database that the application connects to.
We want to prevent users accessing the production database when they use the TEST icon, and prevent users accessing the TEST environments when they use the PROD icon.
Unfortunately we can't do this through the application, and we do not want to go down the route of getting the application modified by the vendor. The application uses a single tnsnames.ora file to connect to the database for both the test version and the prod version, so we can't change this (unless there is a way to use multiples?).
I was thinking we could have a local firewall that would prevent the test application from accessing the live server (just block the connection), but at the moment, they are both on the same server!
So, can anyone think of a way to prevent a certain application accessing an Oracle database? The application EXE has the same name, but it is run from a different path depending if it is a test version or the prod version.
Since you have control of the environment on the terminal server, one fairly simple option is to wrap the application in a batch file that forces it to use a restricted tnsnames.ora.
Create two directories, e.g. test_tns_admin and live_tns_admin. Put a copy of your tnsnames.ora in each directory, but edit them so each only has the TNS alias for one target database.
Create two batch files, e.g. live.bat and test.bat. In each, set the TNS_ADMIN admin variable to point to the appropriate directory, and then launch the real application. So test.bat might look like:
::Batch wrapper for the TEST application
#set TNS_ADMIN="\path\to\test_tns_admin"
#"\path\to\real\application.exe"
... and live.bat is the same but pointing to the other directory. You can put shortcuts to the batch files on the desktop instead of the real applications. When one of those is run and the the application launches, the TNS_ADMIN will mean it picks up the cut-down tns_names.ora, so only the TEST TNS alias will be recognised. Nothing else on the terminal server or database is affected.
You don't even really need two new tnsnames.ora files; you could remove the TEST alias from the existing system-wide one and leave the live application alone, only replacing the test launcher with a batch file - that might be preferable since live isn't touched, but depends how you want to manage it, and whether it will be clearer to have them both working the same way.
There is a view called v$session
and the query bellow shows any session information
select username,program
from v$session
You may have a table for listing restricted(or allowed) program names
CREATE TABLE RESTRICTED_PROGRAMS(
PROGRAM_NAME VARCHAR2(64))
INSERT INTO RESTRICTED_PROGRAMS VALUES ('TEST.exe');
COMMIT;
you can use the script bellow to create a AFTER LOGON ON TRIGGER
CREATE OR REPLACE TRIGGER logon_audit
AFTER LOGON ON database
DECLARE
v_program VARCHAR2(100);
BEGIN
SELECT program into v_program;
FROM v$session
WHERE audsid = userenv('sessionid');
for x in (SELECT * FROM RESTRICTED_PROGRAMS) loop
IF upper(v_program) == upper(x.PROGRAM_NAME) THEN
RAISE_APPLICATION_ERROR(-20001,
'You are not allowed to login using ' ||
v_program);
end if;
end loop;
END;
If a user can connect to you database using application X.exe, then if they rename Y.exe to X then they're still in.
Related
I have an Ansible script to update and maintain my WildFly installation. One of my tasks in this setup is managing the MySQL-driver and in order to perform an update on that driver, I have to first disable the application that uses that driver, before I can replace the it and set up all my datasources anew.
My CLI script starts with the following lines:
if (outcome == success) of /deployment=my-app-1.1.ear:read-resource
deployment disable my-app-1.1.ear
end-if
My problem is that I am here very depending on the actual name of the application and that name can change over time since I have my version information in there.
I tried the following:
set foo=`ls /deployment`
deployment disable $foo
It did not work since when I look at foo I see that it was not my-app-1.1.ear but ["my-app-1.1.ear"] -- so I feel that I might be going in the right direction, even though I have not got it right.
I'm using "COPY SELECT ... INTO file" statement from within application code. After file is ready, next step is to move the file to different location. The only problem is that file created by MonetDB has only root permissions so my application code can't touch it. Is there a way to configure MonetDB so dumps are saved as specified user? or my only solution is to iterate results in batches in application and save to file that way. Dumps can range from several MB to 1GB.
You could run MonetDB as the same user that your application server is configured for. Also, both your application server and MonetDB probably should not run as 'root'.
There is no direct support to export files with different permissions. You could try configuring the umask for the user that the starts the DB.
Our application builds an Access database (.mdb) and then starts a different application with the Shell command which needs Read/Write Access to this very database. The problem is that on some systems our application seems erratically to retain an exclusive lock on the database, preventing the other application from accessing it. Only after closing down the first application can the other application proceed.
The specific Error that is raised is Error 3028, which seems to be specific for DAO 3.51 (Access '97) which we indeed employ. I cannot understand why some systems are affected (and then not consistently) and others never. I thought that it might be a timing issue and built in a Sleep period between building the database and launching the other application, but that does not help.
What is going on?
EDIT:
I now created a workaround by creating the database in a separate file and then copying it. Now the second program should always be able to access it and any remaining lock problems will surface in the first program, which I maintain. I will follow up later when our users have been able to test this.
Are you closing the connection to the DB before passing control to another EXE?
I had a similar issue previously which wasn't quite the same but from what you have described this is the approach I would try:
Before lauching the secondary application with the shell command.
Alongside the sleep period you have already employed you will also need to close the original program which generated the .mdb file.
I achieved this by shelling a windows batch file, and then immediately exiting the original program.
Batch file makeup as follows:
ping -n 5 localhost >NUL
start MSAccess.exe "C:\DB.mdb"
exit
This allows 5 seconds for the mdb file to be freed-up before launching, you could replace my Ms Access call with your secondary program.
I'm trying to obtain the full path of the server's desktop using a plsql script. running the script on the server itself.
There seems to be no methods inside plsql to retrieve it. I need to spool the output of my script to the desktop no matter on which computer/server. So the username and desktop path can be different on other machines.
EDIT:
Currently trying:
dbms_system.get_env('userprofile', desktop);
I can get the path of the desktop but it is not the current user's one. What i get is C:\Documents and Settings\Default User\Desktop
Also have tried:
SQL> host echo %username%
Administrator
Ultimately the path i need is i.e. C:\Documents and Settings\Administrator\Desktop
but the username cannot be hardcoded...
Generally a server can't write directly to a client's desktop / filesystem. The client software requests a stream of data from the server and then the client may write it to the screen, a file....
If the client software isn't being co-operative, I'd look at emailing the results to the user.
[You can get the OS_USER and IP of the client using SYS_CONTEXT and USERENV, but that probably isn't useful, and definitely not if they have come through an app-server.]
By default concurrent manager jobs are run under the APPS user. Is it possible to configure it to run as another user? I'd like to be able to isolate some of my stored procedures.
Not aware of any standard way, but you could code your concurrent request to handle that. E.g. copy fnd_concurrent_requests, then in the "real" concurrent program insert into your custom_fnd_concurrent_requests "select * from fnd_concurrent_requests". Create dbms_job or something to poll your custom table, and get it to call your "real" program - make sure you fnd_global.initialize with the user, resp, and appl from fnd_concurrent_requests, and direct output to your own files using utl_file rather than fnd_file.