RE: Would you recommend such an application for production use?

From: Goulet, Richard <Richard.Goulet_at_parexel.com>
Date: Thu, 18 Feb 2010 13:27:06 -0500
Message-ID: <6B0D50B70F12BD41B5A67F14F5AA887F0462ED89_at_us-bos-mx022.na.pxl.int>

Brother does this list ever produce mountains of messages in the blink of an eye!!

OK, so while creating objects in the sys schema is not the most brilliant thing to do it's not exactly totally unknown. There are a number of applications that I've come across that find it necessary to do so. Better to create a new schema, grant it appropriate privileges, and then create the objects therein. But that assumes some intelligence on the database level by the vendor, something drastically missing in most vendors.

Whether or not you use an application in production depends on a number of items that vary with each vendor. Many applications, especially monitoring ones where creating sys objects is prevalent, attempt to convince management that a trained DBA is no longer required. These I try to avoid/block at all costs, especially if the vendor is seriously being pushy.

Dick Goulet
Senior Oracle DBA/NA Team Lead
PAREXEL International

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Martin Bach Sent: Wednesday, February 17, 2010 4:20 PM To: ORACLE-L
Subject: Would you recommend such an application for production use?

Dear listers,

I tried to come up with a good name for this post but couldn't. So here goes the story:

I have been asked to review a product that management is _very_ keen to deploy in production. Unfortunately before this can happen it has to go through a change management process which implies that "troublemakers" like me can raise their concerns that need addressing. For a change I have access to the source code of the application which makes it even more interesting.

I discovered a number of things I don't like but was wondering what you thought about these-maybe I'm just pedantic? Among the most terrifying ones are:

The installation script creates a user (default username = password) and grants select privileges on the dictionary to the new application user with grant option.

This is not too great but not too difficult to harden.

the installation script furthermore creates objects in the sys schema, namely create view foo as select * from someX$view

This is disturbing for me

the owner of the application schema grants almost complete access on its schema to public. The rationale is that the application needs to allow a user logging into the database through the frontend access to its schema

Now since the software is used for monitoring the health of a web application through the tiers-including Oracle-anyone with connect privileges could access these data...

Did anyone made a similar experience? What did you do?

Interested to hear comments!

Martin

--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l

Received on Thu Feb 18 2010 - 12:27:06 CST

This message: [ Message body ]
Next message: Taylor, Chris David: "RE: Oracle Client not passing Windows Domain portion of connect info ?"
Previous message: Igor Neyman: "Re: redo curiosity"
In reply to: Martin Bach: "Would you recommend such an application for production use?"
Next in thread: Jared Still: "Re: Would you recommend such an application for production use?"
Reply: Jared Still: "Re: Would you recommend such an application for production use?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message