Oracle Database Policy
Central Campus Web Hosting Service: Oracle Accounts Policy and Procedures
Overview: The Central Campus Web Hosting Service allows web developers to use an Oracle Database to store non essential data.
Standards:
Upon request by a department head or node director, two Oracle accounts are created. One is a reader account, which has only read permissions. This is the account that should be used in all web based programs. The second account is an admin account, which has create, insert, modify, and delete privileges. Both of these accounts are created in a user specific tablespace and will not have access to any other tablespace or accounts. The reader account is given a quota of 2K. The admin account is given an initial quota of 10MB.
Process:
After receiving these two Oracle accounts a web developer is asked to secure his directory where the code resides. While developing, all code should have the proper extensions (.cgi , .pl or .php ). A web developer should never use a user/password in an .inc file or any files that can be rendered in a web browser. All users/passwords should be placed in files where it is parsed by the web server. Before going live with a web based program, the web developer should contact Wings (wings@buffalo.edu). The Wings team will check their files for the proper extensions and permissions.
Securing User/Password files:
Option 1:
An include file is created in a separate directory tree apart from the document root of the web server. This file would be owned by "nobody". The wings team would create this file and send the web developer the proper path to use in Perl / PHP code.
Option 2:
If the configuration file is in the document root tree, then it should be in a password protected branch, separate from the CGI/PHP code, of the document root. You must authenticate to get at anything in this branch. In this directory, create an .htaccess file that contains:
order deny, allow
deny from all
In this case the file owner can be the web developer.