Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: UTL_FILE revoke from PUBLIC
Charles J. Fisher wrote:
> I was recently asked to revoke UTL_FILE from PUBLIC by a colleague in IT
> security, following recommendations from NGSS (and their automated
> "squirrel" scanner).
>
> Supposedly, Oracle recommends revoking this privilege:
>
> http://oraclelon1.oracle.com/docs/cd/A91202_01/901_doc/server.901/a90117/secure.htm#8738
>
> However, I've noticed that several sys-owned objects in the data
> dictionary go invalid (and stubbornly remain so until utlrp.sql is
> executed). One of my Oracle 7 instances went into a tailspin with a
> circular dependency between DBMS_UTILITY and DBMS_DDL, and I was forced to
> run CATALOG and CATPROC.
>
> What is everyones' experience with revoking UTL_FIL?
>
> Also, how serious is utlrp's suggestion to run in startup restrict?
My suggestions in no particular order.
1. Never grant anything to public without very careful review 2. Never grant UTL_FILE to public no matter the review 3. Never had a problem running UTLRP.SQL no matter the conditions
though not on a production system with current users. That would
be sheer madness.
4. Don't do a new install with anything less than 9.2.0.4: Preferably
10.1.0.4.
-- Daniel A. Morgan University of Washington damorgan_at_x.washington.edu (replace 'x' with 'u' to respond)Received on Sat Apr 23 2005 - 17:01:21 CDT