Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Sun, 05 Dec 2004 20:00:48 -0800
Message-ID: <1102305548.163819@yasure> 





Dave wrote:


> "DA Morgan" <damorgan_at_x.washington.edu> wrote in message 
> news:1102272986.366416_at_yasure...
> 




>>Tom wrote:

>>

>>

>>>I'm working on a project to secure a database for the government, and

>>>one of the recommendations from an analysis tool is to remove some

>>>privileges from SYS or DBA, namely privileges granted with the ADMIN

>>>option.

>>>

>>>Is it safe to change any of the privileges associated with the SYS

>>>user or DBA role?  Is this supported by Oracle?

>>>

>>>Thanks,

>>>

>>>Tom

>>

>>I'd drop the DBA role completely as that is what Oracle advises. It

>>exists, like CONNECT and RESOURCE solely for demonstration purposes

>>just as does SCOTT/TIGER.

>>

>>Dropping privs from SYS, if it is possible, is preposterous on its

>>face as anyone logged on as SYS could always grant them again at will.

>>If you want fool-proof security this is not the way to achieve it.

>>You can contact me off-line if you wish and are a U.S. person.

>>-- 

>>Daniel A. Morgan

>>University of Washington

>>damorgan_at_x.washington.edu

>>(replace 'x' with 'u' to respond)


> 
> 
> can you provide a link as to where oracle advise dropping the dba role > 





I've been asked this question before and tried to track down the
reference unsuccessfully. This time, perhaps due to having some
sleep over the weekend I was successful.



http://asktom.oracle.com/pls/ask/f?p=4950:8:9772908208972569857::NO::F4950_P8_DISPLAYID,F4950_P8_CRITERIA:7540675724395,



And it is a very long URL so make sure it doesn't break up.



You will note the statement from the OP:
I read your book and a article and read this quote where you have quoted 
that  "connect,resource and DBA should not be used in a system for 
security reasons".



If it is good enough for Tom Kyte ... it is good enough for me to
reference.  ;-)



I am a firm believe in dropping all three roles and creating new roles,
perhaps with the same names though I prefer not, that meet specifically
defined and documented requirements for employee activities. If you can
not document a need for a privilege it should not be granted. It may be
that no harm comes from it ... but no good can come of it either. So
better to err on the side of security.



And I'll go one step further while we are discussing security. Once a
production schema is built ... the CREATE and ALTER privileges such as
CREATE PROCEDURE and ALTER TABLE should be dropped.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)


Received on Sun Dec 05 2004 - 22:00:48 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US