Re: OK to revoke privileges from SYS or DBA?

"Denis Do" <nospam.denisdo_at_yahoo.com> wrote in message news:slrncrcpki.3q4.nospam.denisdo_at_denisdo.news.google.com...
> On 2004-12-07, DA Morgan <damorgan_at_x.washington.edu> wrote:
> > Thanks but having been corrected by Tom and reviewing it I agree that
> > the DBA role should not be dropped ... but also should not be assigned.
> > I too work in a high-security environment and am aware of break-ins and
> > break-in attempts using the default roles. I do believe CONNECT and
> > RESOURCE should be dropped or at least heavily pruned.
> >
> > Then again I also don't install Oracle with a user account named Oracle.
> > Don't create groups named oinstall and dba on *NIX platforms and don't
> > use port 1521 so I guess that puts me well outside the curve.
>
> This comment makes a good point.
> Please consider the fact, that I am talking about HIGHLY secure
> Oracle installation (that was a question in original post, wasn't it?)
>
> Obviously, I do not delete DBA, resource and connect for average server,
> working behind firewalls etc. In such situation everything you guys told here is
> 100% true.
>
> But please see my point as well - if you want security - you must (and will) pay for it.
> The more secure site - the less "out of the box" features you have and
> less convenient your administrating day-by-day activity.
>
> Are you really talking seriously about stored outlines, WM etc in highly secure system?
> If you do - you are wrong, and any security cpecialist will confirm it.
> In such system absolutely NO NEW FEATURES are installed after "golive date", no new
> scripts run by DBA without supervision and nobody knows full password - just part of it.
> And as for me, if you log into that system as SYSDBA, you will find there only 1/3 of
> standard Oracle dictionary. Not even talking about DBMS_x packages etc.
>
> YES, it IS unsupported and "risky", and 2/3 of cool latest Ora features will not work there,
> yes - this DB is supposed to run ONLY pre-defined and tested subset of SQL statements and
> pl/sql code - so what? That is the price you pay for real security.
> And obviously, it is NOT recommended for public:_)
>
> Just another point - I do respect all your opinions and never thought to try argue with you
> - I am just demonstrating absolutely "untypical" configuration for highly-secure systems.
> And, may be it is a surprise :_) - but I do have some servers running with DELETED DBA role.
>
> They even report themselves as Ms SQL 2000 when you query v$version :-))
> (that was a joke, sorry :-)
>
> Please do not consider my post as offendive - it is my own IMHO :-)

Right! Its so highly secure that you can't stop telling us the details. A little more prodding and I think you'll tell us the special sys password you chose for it also.

:) I'm just joking.

But seriously, I don't care whether you are running a database with the dba role dropped. The question is not about it being possible or not .. but the sanity of the suggestion as a generic advise for everybody! The comment by Daniel was generic. After all his create database example on his site explicitly directs creating a database and then dropping the DBA role. I'm just wasting my time trying to make clear that this is not a normal thing to do.

Anurag Received on Tue Dec 07 2004 - 21:24:35 CST