Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: Anurag Varma <avdbi_at_hotmail.com>
Date: Tue, 07 Dec 2004 06:21:38 GMT
Message-ID: <SZbtd.50669$AL5.27738@twister.nyroc.rr.com> 






"Denis Do" <nospam.denisdo_at_yahoo.com> wrote in message news:opsil9mqdj0e7mlo_at_oicn055.internal.ozemail.com.au...


> I must admit, this is one REALLY good advice.

> (And this kind of advice is usually not free (if we are talking about some

> 3rd party commsec consultant):_))

>

> I agree with DA Morgan, since I know some REAL cases of intrusion through

> well-known pre-existing RESOURCE and DBA roles.

> Besides of that, we are talking about PRODUCTION, so what relation those

> rdbms/admin

> scripts have to "official production environment"?

> Even more, they MUST NOT BE there at all :-)

>

> It is very similar like you still have gcc/make on production server ...

> $-)

>




My response is on Daniels comment that dropping connect, resource will not screw up any aspect of oracle.
Just the presence of the roles in the database is not a security risk. Granting these roles to the users you create is not what I'm
advising.


I'm pointing out that oracle itself uses these roles to create some key users.
Also, I'm responding to his comment which does not seem Production specific.



Anurag
Received on Tue Dec 07 2004 - 00:21:38 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US