Home -> Mailing Lists -> Oracle-L -> RE: Default user permissions

RE: Default user permissions

From: Don Granaman <DonGranaman_at_solutionary.com>
Date: Tue, 8 Nov 2011 12:13:34 -0600
Message-ID: <FD98CB0EE75EEA438CAF4DA2E6071C420EAD4F8EA7_at_MAIL.solutionary.com> 





I was not (yet) aware of that one.


Sometimes I swear that half of the people at Oracle Corp have absolutely no idea what anyone else is doing - or why.   Another security-related example is that in Oracle 10.2.0.3 (at least), AUDIT_TRAIL=XML did not write LOGOFF_TIME (or the logoff action and time),  LOGOFF_LREAD, LOGOFF_PREAD, LOGOFF_LWRITE, LOGOFF_DLOCK or SESSION_CPU when the session exited.  When I noticed this, I filed a TAR/SR.  The first response was "So what?  This isn't security related."  After I pointed out that knowing when a session was connected and when it was not connected is definitely security-related, they grudgingly created a bug report (5081050) and a patch - to capture the session logoff time only.  As of 11.2.0.3 at least, you still cannot get the rest in XML, although they are all still available for AUDIT_TRAIL=OS or DB.



PS: Resource is far worse and has caused a lot of consternation/confusion over the years.  Create a user, grant resource to it, then "alter user ... quota 0 on SYSTEM", then have them create a table in the SYSTEM tablespace.  (No problem. )  I wonder when someone who has no idea about this one will incorporate the resource role in some new feature...



Don Granaman | Phone: 402-361-3073 | Cell: 402-960-6955 | Fax: 402-361-3173 | Solutionary | Relevant . Intelligent . Security



From: Paul Drake [mailto:bdbafh_at_gmail.com]
Sent: Tuesday, November 08, 2011 11:30 AM
To: Don Granaman


Cc: Leo.Drobnis_at_dealertrack.com; ORACLE-L
Subject: Re: Default user permissions



Don,



... and what privilege was introduced with 11g in order to support access control lists for packages such as utl_tcp, utl_smtp?



"its baaaack".



connect.



Brilliant.



Paul


On Tue, Nov 8, 2011 at 12:21 PM, Don Granaman <DonGranaman_at_solutionary.com<mailto:DonGranaman_at_solutionary.com>> wrote:
It is been the advice of Oracle Corp and the security community for many years to NOT use the connect and resource roles.  In older versions of Oracle prior to 10g, the CONNECT role granted a LOT more than "create session".  If you want to grant "create session", do so - and avoid using these roles altogether.



RESOURCE is worse.  Even in 10g, it grants unlimited tablespace.




Don Granaman | Phone: 402-361-3073<tel:402-361-3073> | Cell: 402-960-6955<tel:402-960-6955> | Fax: 402-361-3173<tel:402-361-3173> | Solutionary | Relevant . Intelligent . Security




-----Original Message-----



From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Leo Drobnis
Sent: Tuesday, November 08, 2011 9:44 AM
To: ORACLE-L


Subject: Default user permissions


I am a bit puzzled, maybe I am getting rusty.




I need to create a user with bare minimum permissions:





CREATE USER bb_stage



IDENTIFIED BY "password"



DEFAULT TABLESPACE users



TEMPORARY TABLESPACE TEMP;


GRANT CONNECT TO bb_stage;



ALTER USER bb_stage QUOTA UNLIMITED ON "USERS";





Connect role only has create session.



Public has no privileges.





However the newly created user can create and drop tables.





I am trying to find where it's coming from.





Any idea???




--



http://www.freelists.org/webpage/oracle-l



--



http://www.freelists.org/webpage/oracle-l





--



http://www.freelists.org/webpage/oracle-l
Received on Tue Nov 08 2011 - 12:13:34 CST












Original text of this message