Re: CONNECT Role Privileges

From: DA Morgan <damorgan_at_psoug.org>
Date: Tue, 31 May 2005 22:48:11 -0700
Message-ID: <1117604758.138385@yasure>

Mark Bole wrote:
> DA Morgan wrote:
>

>> Holger Baer wrote:
>>

> [...]
>

>> To the best of my knoweldge no change was made to RESOURCE although I
>> made plea for that change in 10gR3 should there be one. And if not 10gR3
>> in 11. The security risk created by these three default roles exceeds
>> any possible value they might contain.
>>

> [...]
>
> Any idea when Oracle will fix the following problem?
>
> A user granted the RESOURCE role automatically gets the UNLIMITED
> TABLESPACE system privilege. Roles technically can't be grantees for
> system privileges, but this behavior is hard-coded (an "anomaly" is what
> Tom Kyte called it).
>
> -Mark Bole

In 10gR1 v 10.1.0.4

select privilege from dba_sys_privs
where grantee = 'RESOURCE';

PRIVILEGE

---

CREATE TYPE
CREATE TABLE
CREATE CLUSTER
CREATE TRIGGER
CREATE OPERATOR
CREATE SEQUENCE
CREATE INDEXTYPE
CREATE PROCEDURE And that is all. Now you'd think CREATE VIEW would be more useful than CREATE INDEXTYPE. But basically these roles, in the real world, are badly misused and need to be stuck with a fork.

At least the role's name should be changed to DEVELOPER to help discourage its misuse.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)

Received on Wed Jun 01 2005 - 00:48:11 CDT