Join the supporters of the Stop Global Warming Virtual March
Main Menu
HomeBasicsFusionPS on LinuxSecurityDocumentsScriptsSearchFeedsWeb LinksSiteMapForumPodCastsGuest BookPeopleSoft Jobs
Translation
Translation may not be accurate.
** Thanks to Google Anyway***

To Change between languages
go to English and change again.
Login Form





Lost Password?
No account yet? Register
FeedBurner
Get Postings by Email
without Account.
Who's Online
Statistics
Postings: 65
PeopleSoft Blog Feeds: 15
PeopleSoft Job Feeds: 16
Oracle Feeds: 12

Registered Members: 203
Unique Visitors: 357975
Syndicate
Home arrow Security arrow Why one should change password for the database user people?
Why one should change password for the database user people? PDF Print E-mail
Written by RD   
Friday, 08 February 2008

ImageI have seen in many client sites, the password for user people is default password. If someone wants to get the details of the secure tables like PSOPERDEFN, they can do so if they know the tnsname details of the database by using people user id.

Try this in your production database from your PC from DOS prompt [you should have oracle installed and have the tns entry for your production DB]

Sqlplus people/defaultpassword@yourproductiondbSID

Select * form psoprdefn;

It would give you all the details in your prod db. Even though they can not use it to login to your production DB or update the data in that table, they can get some vital information like OPRID, OPRDEFNDESC, EMAILID, ACCTLOCK, LASTSIGNONDTTM etc.
And someone who knows how to use them, then you are exposing your data to others, which is a SOX breach.

 PS: - I have not mentioned what is default password here for obvious reasons.


Add as favourites (46) | Quote this article on your site | Views: 1066 | Print

Comments (6)
RSS comments
1. 02-08-2008 19:21
 
What are the implications on changing the people password for production. Will anything break? What are the things one should take care while changing it?
Guest
  
DT
2. 02-16-2008 22:06
 
You also need to change the psappsrv.cfg for app server and psprccs.cfg fpr process scheduler, where you mention ConnectPswd= and you can encrypt it.. 
 
You need to have downtime when you change it.
Registered
  
PSADMIN
3. 02-19-2008 11:43
 
Also if someone knows they can use it to connect to the DB directly 2-Tier if they are not allowed to connect to the DB directly.
Guest
  
TedL
4. 02-19-2008 14:04
 
True.
Registered
  
RD
5. 09-11-2008 20:21
 
Hi, 
We are using the default password for people however i do not find PSOPRDEFN contents when i fire the select statement. What would be the reason ?
Guest
  
RDX
6. 09-15-2008 11:26
 
If you see the details of user people, you will find that it has permission to select the PSOPRDEFN table. 
 
Run this query as system or sys on the database: 
 
Select BASE_OBJ,GRANTOR,PRIVNAME,COLNAME from KU$_OBJGRANT_VIEW where GRANTEE='PEOPLE';
Registered
  
RD

Write Comment
  • Thankyou for your comments.
  • Feel free to comment if there are any mistake in the postings also.
  • If you have a Blog or website, feel free to provide the link. We will take a peak.
  • Just ensure to *Refresh* your browser for a new security code to be displayed prior to clicking on the 'Send' button.
  • Keep in mind that the above process only applies if you simply entered the wrong security code.
Name:
Homepage
BBCode:Web AddressEmail AddressBold TextItalic TextUnderlined TextQuoteCodeOpen ListList ItemClose List
Comment:

Code:* Code
I wish to be contacted by email regarding additional comments

Copy Right: AKOComments v.1.4.6

Last Updated ( Friday, 08 February 2008 )
 
< Prev   Next >
[ Back ]

xkcd and whatever..?

© 2009 PSADMIN.org
PSAdmin.org is for & by the PeopleSoft Administrators to share their Experience.