Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: DBAs, roles and privs

Re: DBAs, roles and privs

From: Pete Finnigan <plsql_at_petefinnigan.com>
Date: Mon, 17 May 2004 11:05:54 +0100
Message-ID: <n$PVFzAC6IqARxEM@peterfinnigan.demon.co.uk> 





Hi,



It sounds like you have a lot of problems there. It also sounds like
your supplier develops their software with a user with all privileges
granted. They are not alone!, Oracle until recently did the same with
CTXSYS, WKSYS and MDSYS. 



There is no easy solution to this. The software developers probably do
not know exactly what privileges they need. You should not define them
for them as it could break the application. I am sorry I have to
disagree with Daniel, just dropping privileges until something breaks is
not a good plan. I have seen this done before and it results in chaos.
You need to work with the software vendor and get them to understand
that it is bad security practice to grant all privileges to a schema
owner and it is also bad practice to allow users to logon with the
schema owner account. You should suggest that they read the two security
checklists available on my web site and some of the security papers at
http://www.petefinnigan.com/orasec.htm - these give details of many
oracle security issues. 



Also you may suggest that audit is enabled on all system privileges and
monitored over a period of time. This may help the vendor to establish a
proper list of needed privileges although this can leave holes as well.
It is definitely better that you let them drive this not you - they have
the source code after all. Also ring fencing the issue as suggested by
(Daniel?) creating a separate role and adding the privileges to it and
granting that to the relevant people is a better start instead of
granting dba and all privileges - although at this stage no more secure. 



You should also advise management that the software is not acceptable on
security grounds and that they should be pressuring the vendor to
specify privileges using the least privilege principle i.e. grant only
what is needed.



You could also formally report the issue to the vendor as a security bug
and let them know that you will release a security advisory on bugtraq
when they have fixed the issue - set a timescale for the fix agreed with
them. If your management and or the vendor do not attempt to secure the
software you should contact CERT as they are always interested in
companies who are not taking notice of security issues. CERT is now part
of the US department of homeland security and they should have quite a
bit of weight now. CERT encourage people to report flaws to them
cert_at_cert.org. You may get some help from them to push your vendor but
it is best to ask the vendor to take action first!.



hth



Kind regards



Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.


Received on Mon May 17 2004 - 05:05:54 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US