Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: Niall Litchfield <niall.litchfield_at_dial.pipex.com>
Date: 7 Dec 2004 03:02:42 -0800
Message-ID: <1102417362.325281.152370@c13g2000cwb.googlegroups.com> 





DA Morgan wrote:


> > egrep -i 'grant ' *.* | egrep -i ' (connect|resource)( |,)'

> > a0801070.sql:    execute immediate 'GRANT DEBUG CONNECT SESSION TO

JAVADEBUGPRIV';



> > c0703040.sql:                 'grant connect, resource, execute any

procedure to outln',


> > c0800050.sql:                 'grant connect, resource, execute any

procedure to outln',


> > catqm.sql:grant resource to xdb;

> > catsnmp.sql:grant connect to OEM_MONITOR;

> > catsnmp.sql:grant resource to OEM_MONITOR;

> > catsnmp.sql:grant CONNECT, SELECT ANY DICTIONARY to DBSNMP;

> > catxdbr.sql:Rem    nagarwal    11/05/01 - grant DML privileges to

resource view


> > csminst.sql:grant connect, resource, dba to csmig

> > dbmslsby.sql:Rem    jnesheiw    07/23/02 - grant connect, resource

to logstdby_administrator


> > dbmslsby.sql:GRANT CONNECT, RESOURCE TO logstdby_administrator;

> > jvmsec5.sql:GRANT DEBUG CONNECT SESSION TO JAVADEBUGPRIV;

> > migrate.bsq:grant connect, resource, dba to migrate identified by

migrate;


> > owmctab.plb:grant connect, resource, create public synonym, drop

public synonym, create role to wmsys;


> > owmu901.plb:grant connect, resource, create public synonym, drop

public synonym to wmsys;


> > prvtbiau.plb:1 GRANT CONNECT THROUGH :

> > sql.bsq:grant connect to outln

> > sql.bsq:grant resource to outln

> > utlsampl.sql:GRANT CONNECT,RESOURCE,UNLIMITED TABLESPACE TO SCOTT

IDENTIFIED BY TIGER;



> >

> >

> > Anurag

>

> Because they are security holes. Perhaps it is just me but I read

> scripts before I run them and edit them where appropriate.




I pointed out that the CTXSYS scripts use the roles you mention. Anurag
points out



sql.bsq

uowmu901.plb
a0801070.sql
c0703040.sql
c0800050.sql




catqm.sql


catsnmp.sql


catxdbr.sql


dbmslsby.sql

migrate.bsq
owmctab.plb
owmu901.plb





I just can't see that it is defensible to edit these scripts in the way
you describe. You'd have to edit sql.bsq to do it correctly and ensure
all subsequent scripts got changed appropriately (including as Anurag
points out the users that depend upon wrapped scripts). It clearly
would leave you with an unsupported system, even if you were lucky
enough to get away with setting your new roles up with the appropriate
privs. In a security conscious environment it makes no sense to have a
system that you can't support, possibly can't patch or upgrade.




> I absolutely fail to see why anyone would grant CONNECT knowing it

> is giving each and every end user the ability to create a database

> link. It may not be a problem where many of you work ... but in a

> security conscious environment ... it just makes no sense: At least

> to me.




That is an entirely different, and reasonable argument, of course good
practice is not to grant connect but a user defined role with
appropriate rights. Good practice is not to grant elevated os
privileges to people, it doesn't mean that the privileges get removed
from the os - it means they get used appropriately. Exactly the same
applies here. The 'existence' of powerful privileges is not a security
hole, the inappropriate grant and use of them is.
Niall Litchfield


Oracle DBA


http://www.niall.litchfield.dial.pipex.com
Received on Tue Dec 07 2004 - 05:02:42 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US