Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: Frank van Bortel <fvanbortel_at_netscape.net>
Date: Thu, 09 Dec 2004 20:33:56 +0100
Message-ID: <cpa9av$bbl$1@news4.zwoll1.ov.home.nl> 





Howard J. Rogers wrote:


> Frank van Bortel wrote:

> 


>> Howard J. Rogers wrote:
>>
>>> Anurag Varma wrote:
>>>
>>>> So you say that you never really drop the DBA role and that it was 
>>>> sloppy writing?
>>>>
>>>> How about the create database example in your site where you 
>>>> specifically advise dropping the DBA role?
>>>>
>>>> Look at the last section in this page: 
>>>> http://www.psoug.org/reference/createdb.html
>>>>
>>>> How about this?:
>>>> http://tinyurl.com/4kjle
>>>>
>>>> where again you recommend dropping dba, connect and resource role .. 
>>>> and then claim that this is what oracle recommends!
>>>>
>>>>
>>>> Anurag
>>>
>>>
>>>
>>>
>>> I think you are being a bit harsh, Anurag. You appear to be expecting 
>>> a level of consistency, competence, accuracy and precision from 
>>> Daniel that is entirely justifiable, but rather ambitious in his 
>>> particular case.
>>>
>> As if this isn't written with a grim smile...
>>
>>> As he writes elsewhere, he drops these roles and re-creates others 
>>> which contain the same privileges because he doesn't want to run his 
>>> database  "with the default role names that the entire world knows." 
>>> Perfectly legitimate, of course... and no doubt, to be consistent, he 
>>> drops SYS and SYSTEM as users, too, since the entire world certainly 
>>> knows about them.
>>>
>> He never said that! 




> 

> 

> I didn't say he did, Frank. In fact, my point works precisely because he 

> *didn't* say that. I am pointing out that he is on record as saying that 

> he drops CONNECT and RESOURCE because they have well-known names. Well, 

> *to be ocnsistent*, he should then advocate the renaming of SYS and 

> SYSTEM, since they are very well-known names too! But (obviously quite 

> sensibly) he doesn't... which, therefore, rather undermines the argument 

> he uses for 'renaming' CONNECT and RESOURCE and means that his advice on 

> those roles is ipso facto inconsistent.

> 


>> And he has also admitted he was wrong about the advice to drop the DBA 
>> role.




> 

> 

> He hasn't, actually. He blamed it on sloppy writing, not on being wrong. 

> But that's a side show. The DBA role is *one* of *three* roles he has 

> advocated dropping. He's backed off on the DBA one, but that leaves two 

> to go. He's still arguing that those should be dropped.

> 


>> So, it's only naturally you can come up with a link that still has
>> this (now admittingly wrong!) advice.




> 

> 

> I am not sure what advice or what link you're talking about. But you 

> imply that I am underhandedly linking to out-of-date information in 

> order to do down Daniel. That is not so. Daniel is STILL advocating the 

> dropping of two roles which he shouldn't be. That is very much current 

> information. Dropping those roles and re-creating them, or something 

> very like them, under new names is NOT recommended by Oracle; is NOT 

> actually going to increase security; MAY break your database; MAY 

> compromise your support contract.

> 


>> It's like taking a lolly from a baby.




> 

> 

> Again, I don't really understand what you mean by that. But if you mean 

> 'this is too easy', I can only reply "if only". Trying to get Daniel to 

> admit that his advice is wrong, flawed, erroneous, dangerous, 

> ill-advised, unsupported and pointless in the first place is a very tall 

> order indeed.

> 


>>> It is self-evident that Daniel is somewhat tied up in inconsistent 
>>> knots  on this entire matter. It is a little cruel of you to draw 
>>> attention to the fact, don't you think?
>>>
>>
>> So did you - by replying.
>> Get off it, children! Playtime is over, no more playing in the sandbox.




> 

> 

> Frank, if there's one thing I can't stand, it's people butting into 

> threads and declaring the topic over. It's over for me when I consider 

> the damage and the danger to have passed. It hasn't. Daniel is still 

> pushing ludicrously self-contradictory advice that will do HARM to 

> databases. If you think that's playing, you don't understand.

> 

> And if in the process of dealing with his dangerous advice I happen to 

> share a subtle bit of irony with Anurag, that's my affair, not yours. 

> Particularly when the irony seems to have sailed straight over your head.

> 




Oh yeah, Howard - the irony sailed over my head, indeed.
So it might have with others, too.


It looked to me like as Daniel bashing, once more. Of course,
you are right when you are right; and when he is wrong, you
are free to correct him (or me, or whom ever, for that matter).
But please keep it technical, please.



And as you use this ng for your irony, it's my affair as well.
Send private emails if you don't like the rest of the world to
read it.



If you would have read the links, you would have understood
the comment, and that was NOT you, by the way, doing the linking.
For all clarity: Anurag provided the link, not you. So I implied
nothing - you implied I implied something, even when admitting
you do not understand the matter.


The irony you failed to understand is that all I wanted is to
stop throwing mud (sand box - get it?) to each other.
I wished that would stop, here - that's all there's to it.



[completely OT]


Howard, life is short, let's enjoy it - I'll see if I can find
a fine bottle of Australian wine (think not - they never survive
long... :) ), and I'll toast to your health.
Even if you don't give s**t about it.



Cheers!


[/OT]

-- 
Frank van Bortel


Received on Thu Dec 09 2004 - 13:33:56 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US