Re: Comments Requested About Granting an "ANY" privilege

On Apr 23, 4:44 am, sybrandb <sybra..._at_gmail.com> wrote:
> On Apr 23, 1:47 am, "Dereck L. Dietz" <diet..._at_ameritech.net> wrote:
>
> > Oracle 10g 10.2.0.3.0
>
> > Perusing the database where I work I've noticed that, among other things,
> > the following privileges have been granted as a general rule to all users:
>
> > 1.    select any dictionary
> > 2.    select any sequence
> > 3.    select any table
> > 4.    select any transaction
>
> > Just requesting comments on granting any privilege with the word "ANY" in
> > it.
>
> > Thanks.
>
> This demonstrates people who granted this privilege were too lazy to
> find out which privileges were really required.
> Those people should be shown to the door of unemployment, as they
> render databases unsecure.
> Remember most threats do not come from the outside, but from within.
>
> --
> Sybrand Bakker
> Senior Oracle DBA

Generally speaking the "ANY" privileges should not be granted. Besides being very broad privileges there are several security holes that can be exploited by users with "ANY" privileges.

The general comment is true for the SELECT ANY privileges also. Everyone should not be able to see any rdbms dictionary table. Not everyone should be able to see all user data, etc ....

A user should have only those privileges necessary to perform their assigned job tasks and no more.

HTH -- Mark D Powell -- Received on Wed Apr 23 2008 - 08:51:57 CDT