Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: DBAs, roles and privs
Hi,
It sounds like you have a lot of problems there. It also sounds like your supplier develops their software with a user with all privileges granted. They are not alone!, Oracle until recently did the same with CTXSYS, WKSYS and MDSYS.
There is no easy solution to this. The software developers probably do not know exactly what privileges they need. You should not define them for them as it could break the application. I am sorry I have to disagree with Daniel, just dropping privileges until something breaks is not a good plan. I have seen this done before and it results in chaos. You need to work with the software vendor and get them to understand that it is bad security practice to grant all privileges to a schema owner and it is also bad practice to allow users to logon with the schema owner account. You should suggest that they read the two security checklists available on my web site and some of the security papers at http://www.petefinnigan.com/orasec.htm - these give details of many oracle security issues.
Also you may suggest that audit is enabled on all system privileges and monitored over a period of time. This may help the vendor to establish a proper list of needed privileges although this can leave holes as well. It is definitely better that you let them drive this not you - they have the source code after all. Also ring fencing the issue as suggested by (Daniel?) creating a separate role and adding the privileges to it and granting that to the relevant people is a better start instead of granting dba and all privileges - although at this stage no more secure.
You should also advise management that the software is not acceptable on security grounds and that they should be pressuring the vendor to specify privileges using the least privilege principle i.e. grant only what is needed.
You could also formally report the issue to the vendor as a security bug and let them know that you will release a security advisory on bugtraq when they have fixed the issue - set a timescale for the fix agreed with them. If your management and or the vendor do not attempt to secure the software you should contact CERT as they are always interested in companies who are not taking notice of security issues. CERT is now part of the US department of homeland security and they should have quite a bit of weight now. CERT encourage people to report flaws to them cert_at_cert.org. You may get some help from them to push your vendor but it is best to ask the vendor to take action first!.
hth
Kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Mon May 17 2004 - 05:05:54 CDT