Skip to Main Content
  • Questions

  • security of full export or user export

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Doug.

Asked: November 11, 2008 - 6:20 pm UTC

Last updated: November 12, 2008 - 2:56 pm UTC

Version: 10.2.0.3

Viewed 1000+ times

You Asked

Tom - a full export is being provided to a new vendor so they may "do something" with it. A concern has been raised that the passwords for all the important schemas will be available in the export - and therefore compromise security of the original production database. Is there a way to change the user passwords in the export? The only idea suggested is to re-import it into a dev database, change all the passwords and re-export it, which seems like it would take a lot of time. The production passwords cannot be changed because it is ..well.. production. Any suggestions?

Thanks,
Dc.

and Tom said...

In the export dump file, you will find:

$ grep --text 'CREATE USER' expdat.dmp
CREATE USER "OUTLN" IDENTIFIED BY VALUES '4A3BA55E08595C81' TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK
CREATE USER "TSMSYS" IDENTIFIED BY VALUES '3DF26A8B17D0F29F' DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK
CREATE USER "ANONYMOUS" IDENTIFIED BY VALUES 'anonymous' DEFAULT TABLESPACE "SYSAUX" TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK
CREATE USER "OLAPSYS" IDENTIFIED BY VALUES '3FB8EF9DB538647C' DEFAULT TABLESPACE "SYSAUX" TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK
CREATE USER "MDDATA" IDENTIFIED BY VALUES 'DF02A496267DEE66' DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK
CREATE USER "SYSMAN" IDENTIFIED BY VALUES '447B729161192C24' DEFAULT TABLESPACE "SYSAUX" TEMPORARY TABLESPACE "TEMP_NEW"
CREATE USER "MGMT_VIEW" IDENTIFIED BY VALUES '4F538DF5F344F348' TEMPORARY TABLESPACE "TEMP_NEW" PASSWORD EXPIRE ACCOUNT LOCK


which means the passwords won't be there - BUT - they could easily find a password cracker with a 'library' of commonly used ones and probably brute force many or most of your passwords (the use of so called rainbow tables will make it even faster - for usernames that are 'common' like sys and system, they can just compare hashes and if you use a password that someone has and is in the rainbow table, it'll instantly give them that password)



However, to that I say "so what" in your case.


You just gave them the entire database without ANY ACCESS CONTROL - they'll log in as sysdba and see everything. So, who cares if they have your passwords.


Meaning - I don't think you should do this, this is not a reasonable request. They should request just the data they need, period. And you would provide just the data - table exports - period.

Just my two cents worth, you should not let your hashes out, they can be cracked brute force.

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

If you must do it

Karam, November 12, 2008 - 3:46 pm UTC

I agree with Tom but if you must do it consider this two-step approach.

1. Export (expdp) using CONTENT=METADATA_ONLY. Use impdp and generate a .sql file. In this file replace all occurences IDENTIFIED BY VALUES 'AAAAAAAAAAAAAA16' with IDENTIFIED BY <new_password>

2. Export using CONTENT=DATA_ONLY.

Give the .sql file from step 1 and .dmp file from step 2 to them.

Also, if you're on 11g you might want to protect sensitive data using Data Remapping (Obfuscation) feature.


pete, November 14, 2008 - 5:25 pm UTC

I would also agree with Tom. A full export would be of limited value to any end recipient anyway in terms of application data. You can't do a full import of a full export into an existing database - you'll corrupt the data dictionary. You would still have to do a user-level import if you just wanted the data.

All the full export would do is compromise your passwords, and any other security configuration you have in place (profile definitions, auditing configuration, triggers, and just about all the behind-the-scenes configuration you don't want ANYONE to see). A user-level export that only includes application data would be FAR better.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.