| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Password for sys, system account - Uncooperative client
Am I missing something? How does someone with select any dictionary get to see
the link passwords?
SQL> create user user1 identified by asdf_1234; User created.
SQL> grant select any dictionary to user1; Grant succeeded.
SQL> grant create session to user1;
Grant succeeded.
SQL> connect user1/asdf_1234;
Connected.
SQL> desc sys.link$;
Name Null? Type ----------------------------------------- -------- ---------------------------- OWNER# NOT NULL NUMBER NAME NOT NULL VARCHAR2(128) CTIME NOT NULL DATE HOST VARCHAR2(2000) USERID VARCHAR2(30) PASSWORD VARCHAR2(30) FLAG NUMBER AUTHUSR VARCHAR2(30) AUTHPWD VARCHAR2(30)
SQL> select * from sys.link$;
select * from sys.link$
*
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On
Behalf Of Reidy, Ron
Sent: Thursday, June 09, 2005 2:31 PM
To: John P Weatherman; oracle-l_at_freelists.org
Subject: RE: Password for sys, system account - Uncooperative client
Sorry for getting back to this one so late...
The issue is select any dictionary gives overrides the = 07_dictionary_accessibility parameter. It gives access to (among = others):
Regardless of what OEM requires/demands, this privilege is not one to = grant lightly. Actually, if one looks closely, use of this privilege in = OEM looks to be the lazy way of granting access to the objects for the = application to work properly.
My $0.02
-----Original Message-----
From: John P Weatherman [mailto:asahoshi_at_infionline.net]
Sent: Thursday, June 09, 2005 9:36 AM
To: Reidy, Ron; oracle-l_at_freelists.org
Subject: RE: Password for sys, system account - Uncooperative client
Ron,
I read the article and see where it says not to grant it, but I do not = see anything about it "subverting" anything. Rather it seems to be a = concern that this may be more privilege than is needed and so violates = the "least privilege principle". I wouldn't want to generally grant = this or any "ANY" privilege, but I still do not see a specific risk to = granting admins/consultant admins this level of view privilege. Are you = able to use this to 1) see actual company data and not just the = dictionary views or 2) update anything? If not, what is the specific = concern? What am I missing?
Thanks!
-----Original Message-----
From: "Reidy, Ron" <Ron.Reidy_at_arraybiopharma.com>
Sent: Jun 9, 2005 10:59 AM
To: asahoshi_at_infionline.net, oracle-l_at_freelists.org
Subject: RE: Password for sys, system account - Uncooperative client
Because it subverts a security setting. See = http://www.petefinnigan.com/weblog/archives/00000009.htm
-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org]On Behalf Of John P Weatherman
Sent: Thursday, June 09, 2005 8:54 AM
To: oracle-l_at_freelists.org
Subject: RE: Password for sys, system account - Uncooperative client
While I totally agree that sys and system don't need to be given to = anyone other than the primary DBA and then sealed in an envelope hidden = away in a safe, I am not so clear on why granting select any dictionary = is as big a concern. As far as I know, this only allows view access to = the data dictionary, which pretty much anyone doing any tuning or = monitoring probably needs. Even OEM assumes a non-sys/non-system = account with this level of privilege which is used for monitoring. Is = there a specific reason not to let people have select any dictionary? =20
Just curious.
-----Original Message-----
From: "Goulet, Dick" <DGoulet_at_vicr.com>
Sent: Jun 9, 2005 10:35 AM
To: ranko.mosic_at_gmail.com, oracle-l_at_freelists.org
Subject: RE: Password for sys, system account - Uncooperative client
Assuming that you made the request of the client using the same tone as here, I'm not surprised. Why do you need an account with such priviledges? In general NO one outside of the DBA group here has access to SYS or SYSTEM, including internal folks.
Dick Goulet
Senior Oracle DBA
Vicor Corporation
Andover, MA USA=3D20
-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Ranko Mosic
Sent: Thursday, June 09, 2005 10:27 AM
To: oracle-l_at_freelists.org
Subject: Password for sys, system account - Uncooperative client
Hi all,=3D3D20
I need password for account with select dictionary privileges - client is=3D3D
=3D3D20 not too cooperative.=3D3D20
Regards, Ranko.
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
This electronic message transmission is a PRIVATE communication which = contains information which may be confidential or privileged. The information is = intended=20 to be for the use of the individual or entity named above. If you are = not the=20 intended recipient, please be aware that any disclosure, copying, = distribution=20 or use of the contents of this information is prohibited. Please notify = the sender of the delivery error by replying to this message, or notify us = by telephone (877-633-2436, ext. 0), and then delete it from your system.
This electronic message transmission is a PRIVATE communication which = contains information which may be confidential or privileged. The information is = intended=20 to be for the use of the individual or entity named above. If you are = not the=20 intended recipient, please be aware that any disclosure, copying, = distribution=20 or use of the contents of this information is prohibited. Please notify = the sender of the delivery error by replying to this message, or notify us = by telephone (877-633-2436, ext. 0), and then delete it from your system.
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jun 09 2005 - 15:52:30 CDT
 |
 |