RE: Would you recommend such an application for production use?

From: Joel Slowik <jslowik_at_cps92.com>
Date: Wed, 17 Feb 2010 16:27:29 -0500
Message-ID: <7FCAE6F848605649B090362F7C518C4802923DA2_at_cpsexchange.cps92.com>

the owner of the application schema grants almost complete access on its schema to public. The rationale is that the application needs to allow a user logging into the database through the frontend access to its schema "

We have had the same setup here. The work-around was to create a role which most users are granted.

> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-
> bounce_at_freelists.org] On Behalf Of Martin Bach
> Sent: Wednesday, February 17, 2010 4:20 PM
> To: ORACLE-L
> Subject: Would you recommend such an application for production use?
>
> Dear listers,
>
> I tried to come up with a good name for this post but couldn't. So
here
> goes the story:
>
> I have been asked to review a product that management is _very_ keen
to
> deploy in production. Unfortunately before this can happen it has to
go
> through a change management process which implies that "troublemakers"
> like me can raise their concerns that need addressing. For a change I
> have access to the source code of the application which makes it even
> more interesting.
>
> I discovered a number of things I don't like but was wondering what
you
> thought about these-maybe I'm just pedantic? Among the most terrifying
> ones are:
>
> - The installation script creates a user (default username = password)
> and grants select privileges on the dictionary to the new application
> user with grant option.
>
> This is not too great but not too difficult to harden.
>
> - the installation script furthermore creates objects in the sys
> schema,
> namely create view foo as select * from someX$view
>
> This is disturbing for me
>
> - the owner of the application schema grants almost complete access on
> its schema to public. The rationale is that the application needs to
> allow a user logging into the database through the frontend access to
> its schema
>
> Now since the software is used for monitoring the health of a web
> application through the tiers-including Oracle-anyone with connect
> privileges could access these data...
>
> Did anyone made a similar experience? What did you do?
>
> Interested to hear comments!
>
> Martin
> --
> http://www.freelists.org/webpage/oracle-l
>

Confidentiality Note: This electronic message transmission is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. If you have received this transmission, but are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this e-mail in error, please contact Continuum Performance Systems at {203.245.5000} and delete and destroy the original message and all copies.

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Feb 17 2010 - 15:27:29 CST

This message: [ Message body ]
Next message: Helter Skelter: "Re: memory related problems"
Previous message: Helter Skelter: "memory related problems"
In reply to: Martin Bach: "Would you recommend such an application for production use?"
Next in thread: Jared Still: "Re: Would you recommend such an application for production use?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message