RE: Default user permissions
Date: Tue, 8 Nov 2011 12:13:34 -0600
I was not (yet) aware of that one.
Sometimes I swear that half of the people at Oracle Corp have absolutely no idea what anyone else is doing - or why. Another security-related example is that in Oracle 10.2.0.3 (at least), AUDIT_TRAIL=XML did not write LOGOFF_TIME (or the logoff action and time), LOGOFF_LREAD, LOGOFF_PREAD, LOGOFF_LWRITE, LOGOFF_DLOCK or SESSION_CPU when the session exited. When I noticed this, I filed a TAR/SR. The first response was "So what? This isn't security related." After I pointed out that knowing when a session was connected and when it was not connected is definitely security-related, they grudgingly created a bug report (5081050) and a patch - to capture the session logoff time only. As of 184.108.40.206 at least, you still cannot get the rest in XML, although they are all still available for AUDIT_TRAIL=OS or DB.
PS: Resource is far worse and has caused a lot of consternation/confusion over the years. Create a user, grant resource to it, then "alter user ... quota 0 on SYSTEM", then have them create a table in the SYSTEM tablespace. (No problem. ) I wonder when someone who has no idea about this one will incorporate the resource role in some new feature...
Don Granaman | Phone: 402-361-3073 | Cell: 402-960-6955 | Fax: 402-361-3173 | Solutionary | Relevant . Intelligent . Security
From: Paul Drake [mailto:bdbafh_at_gmail.com]
Sent: Tuesday, November 08, 2011 11:30 AM
To: Don Granaman
Cc: Leo.Drobnis_at_dealertrack.com; ORACLE-L Subject: Re: Default user permissions
... and what privilege was introduced with 11g in order to support access control lists for packages such as utl_tcp, utl_smtp?
On Tue, Nov 8, 2011 at 12:21 PM, Don Granaman <DonGranaman_at_solutionary.com<mailto:DonGranaman_at_solutionary.com>> wrote: It is been the advice of Oracle Corp and the security community for many years to NOT use the connect and resource roles. In older versions of Oracle prior to 10g, the CONNECT role granted a LOT more than "create session". If you want to grant "create session", do so - and avoid using these roles altogether.
RESOURCE is worse. Even in 10g, it grants unlimited tablespace.
Don Granaman | Phone: 402-361-3073<tel:402-361-3073> | Cell: 402-960-6955<tel:402-960-6955> | Fax: 402-361-3173<tel:402-361-3173> | Solutionary | Relevant . Intelligent . Security
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Leo Drobnis Sent: Tuesday, November 08, 2011 9:44 AM To: ORACLE-L
Subject: Default user permissions
I am a bit puzzled, maybe I am getting rusty.
I need to create a user with bare minimum permissions:
CREATE USER bb_stage
IDENTIFIED BY "password"
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE TEMP; GRANT CONNECT TO bb_stage;
ALTER USER bb_stage QUOTA UNLIMITED ON "USERS";
Connect role only has create session.
Public has no privileges.
However the newly created user can create and drop tables.
I am trying to find where it's coming from.
http://www.freelists.org/webpage/oracle-l Received on Tue Nov 08 2011 - 12:13:34 CST