Re: FLASHBACK ANY TABLE

From: Kumar Madduri <ksmadduri_at_gmail.com>
Date: Wed, 18 Mar 2015 07:56:09 -0700
Message-ID: <CAHDOOG5xT+ynrkxf_wJsEXr3071tccUP1xFy2OPV=Cx4EhhRBw_at_mail.gmail.com>

Thanks Mark. I have raised those points as well with my manager. The problem is the developers get approvals from 'directors' who think they are technical and don't like to be questioned by the DBAs. I still do and get in to bad books :)

On Wed, Mar 18, 2015 at 7:21 AM, MARK BRINSMEAD <mark.brinsmead_at_gmail.com> wrote:

> Security considerations aside (and they *are* completely valid
> considerations), you should probably talk to the developers and find out
> exactly what they are thinking, and WHY they think the need to be able to
> flashback tables.
>
> Is this a feature that they plan to rely on in their code? Do they
> understand that it is not guaranteed to work? (It will fail if you don't
> have enough UNDO on hand to reach the requested SCN.) Do they have a plan
> for dealing with it when it *does* fail? Have they considered how this
> might affect concurrency?
>
> Your developers may be rock-solid and know exactly what they are doing and
> why they are doing it. In my own experience, though, I have rarely (but
> sometimes!) found that to be the case. :-)
>
>
> On Wed, Mar 18, 2015 at 8:09 AM, Brent Day <coloradodba_at_gmail.com> wrote:
>
>> Kumar,
>>
>> You are right - this is a security risk and my recommendation would be to
>> never grant any "ANY" system privileges. There have been many easily
>> exploitable privilege escalations bugs around the "ANY" grants. While many
>> of these have been fixed provided you keep up with CPU/PSU patching. The
>> flashback any privilege in the past had problems - see CVE-2012-1751. While
>> this has been fixed you just never know when some patch or upgrade may
>> break this again.
>>
>> As a general rule we do not allow any user or application account to have
>> any of the ANY system privileges.
>>
>> If I was in your position I would get with the developers and find out
>> what they are trying to accomplish and maybe find an alternative method to
>> meet the requirements without granting flashback any.
>>
>> Hope that helps.
>>
>> Brent
>>
>>
>>
>> On Wed, Mar 18, 2015 at 5:50 AM, Kumar Madduri <ksmadduri_at_gmail.com>
>> wrote:
>>
>>> Hello:
>>> Our developers have requested flashback any table to be given to apps
>>> (in an ebusiness environment). They would not have the apps password in
>>> production. I think they are using it to build some feature in a custom
>>> app.
>>> Regardless of their motivation, I think this is a security risk because
>>> why would a developer want this privilege in a production environment.
>>>
>>> I cant think like a hacker but it does not sound right to me.
>>> Want to confirm with the list if I am missing something ?
>>>
>>> Thank you
>>> Kumar
>>>
>>
>>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Mar 18 2015 - 15:56:09 CET

This message: [ Message body ]
Next message: MARK BRINSMEAD: "Re: FLASHBACK ANY TABLE"
Previous message: Chris Taylor: "List of Oracle delivered database usernames?"
Maybe in reply to: Kumar Madduri: "FLASHBACK ANY TABLE"
Next in thread: MARK BRINSMEAD: "Re: FLASHBACK ANY TABLE"
Reply: MARK BRINSMEAD: "Re: FLASHBACK ANY TABLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message