Restrict remote DB connection from PERL

talashil · August 27, 2015, 1:27pm

I have PERL code to connect to Oracle database using DBI.

e.g.

$PERL -e "use DBI; DBI->connect(qw(DBI:Oracle:db111 testu testpass));"

by using DBI , if remote DB added to tnsnames.ora , I can connect using DBI . is there a way to restrict not to connect to remote DB using DBI ?

Thanks

jim_mcnamara · August 27, 2015, 3:58pm

This does not make much sense to me.

If a user has access to a database through code, and the user can develop & run his own code against the database then your security is the problem. PROD databases are not supposed to allow that. Block the user either at the source or at the oracle login.

Try:

move the user to another box that cannot access PROD or whatever
change tnsnames.ora - stop everyone
create two client oracle directory trees. The only difference is the tnsnames.ora in one tree does not allow the DB box/or users you want to block. Set up the problem user in a group, such that he uses the limited directory and cannot see the other. In other words effectively change ORACLE_HOME for him/her.

DBI used to require an ODBC license from oracle. Put the problem user in a group that cannot activate the license file. You can also remove/delete/uninstall the DBI code from the perl install. You can also put the DBI pm files in a directory some users cannot read. So they cannot excute perl DBI.

You know, if you told us what the actaul problem was instead of asking how to implement a really unusual off-the-wall kind of fix, we could help.

I'm sure you know that trying to block DBI acess to oracle from another server pretty much means nobody on the non-db server will be able to use it. You can disable DBI locally, on the remote server, not remotely on the DB server.