S 4.71 Restrictive handling of database links

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Database links (DB links) can be used to access the data of another database, possibly in a different DBMS, from a database within a DBMS. To guarantee adequate protection of this data, this technique should only be used when access to the data is regulated in a corresponding authorisation concept. This concept must contain rules specifying how to control the authorisations of a user when DB links are used, among other things.

For example, the authorisation concept may specify that a user should only be granted the right to access an external database if the same user ID used by the user to log in to the local database is present in the remote database. Additional protection is obtained when the possibility of explicitly specifying a user ID and a password is exploited when creating DB links.

The authorisation concept should include rules specifying the following in terms of DB links:

• In general, only the administrator should have the right to create DB links using the corresponding CREATE commands. This especially applies to DB links that are allowed to be used by all database users (referred to as PUBLIC DB links). In contrast, normal user IDs should not be granted authorisation to create DB links.
• The number of DB links that a user can use in parallel should be restricted so it is possible to keep the load on the database server under control (see S 4.73 Specifying upper limits for selectable data records). Otherwise, it is possible for an attacker to exploit the lack of restrictions to reduce the throughput of the database server or even to overload it completely.
• It is essential that the administrators document the DB links they create. The documentation should contain, amongst other information, the type of connection (i.e. if it was established using a special user ID or if it is assumed that the current database user ID was also created in the database to which the connection will be established), as well as which user groups are allowed to use the corresponding DB link.

Review questions:

• Is there an authorisation concept for the use of database links?
• Was the right to create database links only granted to the administrator?