Re: OK to revoke privileges from SYS or DBA?

From: Mark Bole <makbo_at_pacbell.net>
Date: Tue, 07 Dec 2004 03:04:45 GMT
Message-ID: <h59td.39480$6q2.37686@newssvr14.news.prodigy.com>

DA Morgan wrote:

> Niall Litchfield wrote:
>

>>> If it is good enough for Tom Kyte ... it is good enough for me to
>>> reference.  ;-)
>>
>>  
>> Well possibly. Tom doesn't advocate *dropping* any of the roles - he
>> advocates not *using* them, on my reading anyway. This is not quite the
>> same thing.

>
>
> I agree. But I have read elsewhere specific advice to drop them as they
> are a security risk just by existing. Alternatively one can keep the
> roles but drop those privs from them that are inappropriate.
>

That's the problem -- you can't drop UNLIMITED TABLESPACE system privilege from the RESOURCE role, because roles technically can't be granted (or revoked) system privileges, and it's hard-coded anyway (an "anomaly").

Isn't that how another thread recently got started here?

> I disagree that dropping CONNECT and RESOURCE will screw up any
> aspect of Oracle. But if you insist certainly one could edit those
> default roles to remove inappropriate privileges. What end-user,
> for example, needs the ability to create clusters and database links?
> And what DBA would want them to if they even knew what they were?

We need a future release of Oracle that commits to not using these legacy roles out of the box (that is, upon install). The usual process - first deprecated, then eliminated. Just like "sqldba" or "svrmgrl". I think we're discussing the "deprecated" status....

-- 
Mark Bole
http://www.bincomputing.com

Received on Mon Dec 06 2004 - 21:04:45 CST