| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Select Any Table : Pros and Cons.
Hi Nik
It depends on the version of course but if you grant select any table to developers on an 8.1.7 database the default setting of 07_dictionary_accessibility will be true and granting this privilege will allow them to see sys.user$ which holds password hashes that could then be cracked off line, also the same with sys.user_history$, dba_users (although other roles grant select on this), sys.link$ can have clears text passwords for other databases. From 9i o7_dictionary_accessibility is false so dictionary access is not possible unless select any dictionary is granted or direct grants are given or connect "as sysdba". From the perspective of non dictionary access it depends on how sensitive your data is as to whether your developers should be able to read it all. In general no privileges with the word "ANY" in them should be granted. See a couple of good security checklists on my site at http://www.petefinnigan.com/orasec.htm for some guidelines on securing Oracle.
kind regards
Pete
--
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
 |
 |