Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: developer privs in development (old thread inaccessible)

Re: developer privs in development (old thread inaccessible)

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Wed, 10 Dec 2003 17:59:57 -0800
Message-ID: <1071107905.426060@yasure> 





Pete Finnigan wrote:



>>I was explaining to students the fact that the roles CONNECT, RESOURCE, 

>>and DBA should never be granted to anyone on an Oracle system and how 

>>they should create their own application-organization specific roles 

>>with combinations of system and object privileges.

>>

>>Based on our discussion, almost all of of the students are developers 

>>and DBAs, it became apparent that part of the problem is these three roles.

>>

>>Most DBAs still assign them and thus never really take the time to 

>>create a granularity appropriate to the actual needs of the team. They 

>>give themselves the DBA role and something think, based on its name, it 

>>is inappropriate or dangerous in the hands of developers. What they 

>>should more properly realize is that it contains privileges irrelevant 

>>to DBAs too. DBA roles should be created, just like end-user an 

>>developer roles to ONLY enable those privileges actually required.

>>


> 
> 
> Exactly Daniel!!
> 
> Least privilege principle for users and also why not least privilege
> principle for admin staff - not all DBA's need every privilege in the
> system all of the time. I suggested the same as you for DBA's to create
> DBA roles that match the day to day tasks and also i suggest to not use
> the connect and resource roles and instead to build your own in my book
> "Oracle security step-by-step" 
> 
> good point Daniel.
> 
> kind regards
> 
> Pete





Well it sure came through to me again today. I spent six hours at a 
company that runs on a proprietary application built with PowerBuilder 
on top of Oracle. They called me in because things were grinding to a halt.



So I asked for the passwords for SYS or SYSTEM to look around and not a 
single person at the company knew them. So I logged on as a developer, 
looked in all_role_privs and saw two roles  created by the application. 
Went to role_role_privs and found that the DBA role had been granted to 
this application role that every developer had as part of their permissions.



Two seconds later I had performed ALTER USER SYS IDENTIFIED BY ... and I 
owned their entire company for all intents and purposes.



The only thing that had protected them for the past three years was that 
  no one there knew enough, or was angry enough on a Friday afternoon, 
to take them down.



What possible reason was there for anyone to have the DBA role ... much 
less every developer in the shop. Whew!



Come on DBAs. Go to your database and perform the following:



SELECT role


FROM dba_roles;



If you see CONNECT, RESOURCE, and/or DBA. Do something about it!


-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Wed Dec 10 2003 - 19:59:57 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US