| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Newbie: Simple User question
bbreukelen_at_gmail.com wrote:
> First of all thank you all for the responses.
>
> The reason I want the new user too access the tablespace is security. I
> don't want to use the originat user because a have to embed the
> username/password into the PHP code and other people are able to see
> the code that are not allowed to enter the oracle dbase.
> The Remedy dbase user has far to many privaliges to be out on the
> street.
>
> I wanted to restrict the user to the dbase only coming from localhost
> so people cannot use the account to connect to the dbase from remote
> computers but this is not very important if the restrictions are ok.
>
> I already created a user with the role connect and I found out that I
> can give the user permissions using eg. -GRANT SELECT ON
> "ARADMIN"."ARSCHEMA" TO "Webserver"-
>
> But I'd like to use something like -GRANT SELECT ON "ARADMIN"."%" TO
> "Webserver"- but this doesn't work.
>
> About the last part, I'm not lazy. It's just that I looked up a lot of
> responses on similar questions and the answer always is 'Pickup a book
> and learn all about the oracle'.
>
> I can understand that but the project does not allow me to and this is
> the only thing I need to setup. The rest will simply be handled by the
> Remedy application so I feel like it's a waste of time for me.
>
> I can imagine that some of you don't want to answer my question because
> of this reason. That's not a problem at all. Just don't waste you time
> by giving a response without an answer.
>
> Thanks again,
>
> Boudewijn van Breukelen
Your original post indicated the following:
"I wish to create an oracle user accessible by the webserver only limited to localhost and with access to insert, update, select and delete in all tables within the tablespace from the arsystem tablespace."
Given that criteria what good does it do you to have a second, possibly publicly accessable user account which can insert, delete and update data for this application? Where is the security in that thought? I fail to understand how that makes your system safe, as this new user has the same access rights as the schema owner except the ability to create any objects. It also provides any number of ways to use sql injection to damage/destroy your data. I can undestand having a user account which can VIEW data in another schema, but to grant all possible data manipulation options to a second account provides, in my mind, no security at all.
Of course, I guess I should expect this, given your desire to forego undestanding Oracle in deference to a 'quick fix'.
David Fitzjarrell Received on Tue Jul 26 2005 - 11:01:07 CDT
 |
 |