Re: OK to revoke privileges from SYS or DBA?

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Mon, 06 Dec 2004 19:26:22 -0800
Message-ID: <1102389878.956938@yasure>

Mark Bole wrote:

> DA Morgan wrote:
>

>> Niall Litchfield wrote:
>>
>>>> If it is good enough for Tom Kyte ... it is good enough for me to
>>>> reference.  ;-)
>>>
>>>
>>>  
>>> Well possibly. Tom doesn't advocate *dropping* any of the roles - he
>>> advocates not *using* them, on my reading anyway. This is not quite the
>>> same thing.
>>
>>
>>
>> I agree. But I have read elsewhere specific advice to drop them as they
>> are a security risk just by existing. Alternatively one can keep the
>> roles but drop those privs from them that are inappropriate.
>>

>
> That's the problem -- you can't drop UNLIMITED TABLESPACE system
> privilege from the RESOURCE role, because roles technically can't be
> granted (or revoked) system privileges, and it's hard-coded anyway (an
> "anomaly").
>
> Isn't that how another thread recently got started here?
>

>> I disagree that dropping CONNECT and RESOURCE will screw up any
>> aspect of Oracle. But if you insist certainly one could edit those
>> default roles to remove inappropriate privileges. What end-user,
>> for example, needs the ability to create clusters and database links?
>> And what DBA would want them to if they even knew what they were?

>
>
> We need a future release of Oracle that commits to not using these
> legacy roles out of the box (that is, upon install). The usual process
> - first deprecated, then eliminated. Just like "sqldba" or "svrmgrl". I
> think we're discussing the "deprecated" status....

Likely we'll get that around the same time Oracle stops defining trigger_body in dba_triggers as a LONG. ;-)

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)

Received on Mon Dec 06 2004 - 21:26:22 CST