Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: V$ tables

Re: V$ tables

From: Nuno Souto <nsouto_at_optushome.com.au.nospam>
Date: Sun, 16 Jun 2002 12:11:15 +1000
Message-ID: <3d0bf522$0$28005$afc38c87@news.optusnet.com.au> 





In article <b352e1b3.0206150626.13124e4_at_posting.google.com>, you said 
(and I quote):



I thought we were talking development environments, hence my comments.



> There are problems with DBA_ views, you can get the passwords easily

> from dba_users, 




Oh no you can't.  Unless you know the undocumented ALTER USER. ;-)
But even to use that you need special authorization, so there.



> you can look the password in db links easily from

> dba_db_links, 




I think that one has been fixed since V8.0?



> you can spool data model from other schemas easily from

> dba_tables, 




and that is a problem for developers?



> you can see audit from dba_audit* views etc etc etc. 




Only if you audit your development database...



> Its

> about how do you want to secure your database, otherwise these user_,

> all_ dba_ views would not be seperated

> 




That is correct.



> Data in data dictionary can get or not very sensitive depending on

> your environments




Ditto.



> 

> Regarding v$ views agree that some of them should be avaibale to the

> developers but I would not say all of them neither.....




Most.  There used to be a standard script that created synonyms for some 
of them for all users.  That was the most relevant subset and didn't 
break any security.  Can't remember it's name:  "*mon*.sql" of some sort, 
in $ORACLE_HOME/rdbms/admin?



> 

> May be we will agree when someday someone's database is hacked :-)

> 




Databases (from all makers) are hacked everyday.  Management just hasn't 
realized it. Database security in most cases is run by amateurs.  Last 
time I hacked the system password for a DB2 database, it took me 30 
minutes to get in!  Probably take me less with Oracle, but then I know it  
a lot better than I know DB2.  It's a sad state of affairs, but it's 
reality.  


I've only seen three databases in all my life that were reasonably well 
locked out.  Two belonged to the Reserve Bank of Australia and the third 
is military.  The rest has been a sad joke.  It's got nothing to do with 
the particular database maker and all to do with basic safety processes.  
I've tried to make many, many management layers aware of this problem, 
but do they even listen?  


-- 
Cheers
Nuno Souto
nsouto_at_optushome.com.au.nospam


Received on Sat Jun 15 2002 - 21:11:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US