Re: grant create any directory to schema

From: Andrew Kerber <andrew.kerber_at_gmail.com>
Date: Mon, 21 Dec 2015 19:54:02 -0600
Message-Id: <BEFE9792-0468-4776-BF7F-F0C36A0CBAE9_at_gmail.com>

Yes it will be. Unfortunately your average auditor doesn't have the skill set to understand whether or not it really is a security problem.

Sent from my iPad

> On Dec 21, 2015, at 7:07 PM, rob <rob_at_oraclewizard.com> wrote:
>
> I definitely agree withave MJ. %ANY% privileges will be a finding during an audit.
>
> Rob
>
>
>
> Sent from my T-Mobile 4G LTE Device
>
>
> -------- Original message --------
> From: MJ Mody <emjay.mody_at_gmail.com>
> Date: 12/21/2015 7:32 PM (GMT-05:00)
> To: backseatdba_at_gmail.com
> Cc: oracle-l_at_freelists.org
> Subject: Re: grant create any directory to schema
>
> A similar question was asked to me as part of an interview for an IS Auditor position. My response was to create multiple directories and grant read, write privileges as needed on a per user basis. This goes inline with least privilege access model.
> You are definitely right about the security and if your firm gets audited, this would end up as a finding as ANY privileges are recommended to be hardened.
>
> Best
> MJ
>
> > On Dec 21, 2015, at 6:20 PM, Jeff Chirco <backseatdba_at_gmail.com> wrote:
> >
> > I have some developers that want to give the CREATE ANY DIRECTORY privilege to a schema (a locked schema in production). They reason is because they would like to use the same directory name but change its location based on the OS user that is logged in. So a file will get read or created in that users home directory.
> > To me this seems like a security issue because then in Test/Dev a programmer could change the code to point at any directory they wanted to read potential sensitive data.
> > Has anybody dealt with something like this? Is there a way to restrict them (by user) to only creating a directory within a certain folder structure?
> >
> > Jeff
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Dec 22 2015 - 02:54:02 CET

This message: [ Message body ]
Next message: kathryn axelrod: "grant create any directory to schema"
Previous message: MJ Mody: "Re: grant create any directory to schema"
In reply to: rob: "Re: grant create any directory to schema"
Next in thread: Mladen Gogala: "Re: grant create any directory to schema"
Reply: Mladen Gogala: "Re: grant create any directory to schema"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message