Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: CONNECT Role Privileges
Thomas Kyte wrote:
> In article <1117604758.138385_at_yasure>, DA Morgan says...
>
>>Mark Bole wrote: >> >>>DA Morgan wrote: >>> >>> >>>>Holger Baer wrote: >>>> >>> >>>[...] >>> >>> >>>>To the best of my knoweldge no change was made to RESOURCE although I >>>>made plea for that change in 10gR3 should there be one. And if not 10gR3 >>>>in 11. The security risk created by these three default roles exceeds >>>>any possible value they might contain. >>>> >>> >>>[...] >>> >>>Any idea when Oracle will fix the following problem? >>> >>>A user granted the RESOURCE role automatically gets the UNLIMITED >>>TABLESPACE system privilege. Roles technically can't be grantees for >>>system privileges, but this behavior is hard-coded (an "anomaly" is what >>>Tom Kyte called it). >>> >>>-Mark Bole >> >>In 10gR1 v 10.1.0.4 >> >>select privilege from dba_sys_privs >>where grantee = 'RESOURCE'; >> >>PRIVILEGE >>----------------- >>CREATE TYPE >>CREATE TABLE >>CREATE CLUSTER >>CREATE TRIGGER >>CREATE OPERATOR >>CREATE SEQUENCE >>CREATE INDEXTYPE >>CREATE PROCEDURE >> >>And that is all. Now you'd think CREATE VIEW would be more useful than >>CREATE INDEXTYPE. But basically these roles, in the real world, are >>badly misused and need to be stuck with a fork. >> >>At least the role's name should be changed to DEVELOPER to help >>discourage its misuse.
-- Daniel A. Morgan http://www.psoug.org damorgan_at_x.washington.edu (replace x with u to respond)Received on Wed Jun 01 2005 - 08:55:15 CDT