Re: Comments Requested About Granting an "ANY" privilege
Date: Wed, 23 Apr 2008 17:37:39 +0200
Message-ID: <480f57c1$0$14357$e4fe514c@news.xs4all.nl>
"Mark D Powell" <Mark.Powell_at_eds.com> schreef in bericht
news:eeabe53e-0f06-4f01-889d-4df349a91615_at_b64g2000hsa.googlegroups.com...
.On Apr 23, 4:44 am, sybrandb <sybra..._at_gmail.com> wrote:
.> On Apr 23, 1:47 am, "Dereck L. Dietz" <diet..._at_ameritech.net> wrote:
.>
.> > Oracle 10g 10.2.0.3.0
.>
.> > Perusing the database where I work I've noticed that, among other
things,
.> > the following privileges have been granted as a general rule to all
users:
.>
.> > 1. select any dictionary
.> > 2. select any sequence
.> > 3. select any table
.> > 4. select any transaction
.>
.> > Just requesting comments on granting any privilege with the word "ANY"
in
.> > it.
.>
.> > Thanks.
.>
.> This demonstrates people who granted this privilege were too lazy to
.> find out which privileges were really required.
.> Those people should be shown to the door of unemployment, as they
.> render databases unsecure.
.> Remember most threats do not come from the outside, but from within.
.>
.> --
.> Sybrand Bakker
.> Senior Oracle DBA
.
.Generally speaking the "ANY" privileges should not be granted.
.Besides being very broad privileges there are several security holes
.that can be exploited by users with "ANY" privileges.
.
.The general comment is true for the SELECT ANY privileges also.
.Everyone should not be able to see any rdbms dictionary table. Not
.everyone should be able to see all user data, etc ....
.
.A user should have only those privileges necessary to perform their
.assigned job tasks and no more.
.
.HTH -- Mark D Powell --
IIRC, in 'the old days' one of the documented 'requirements' for using TOAD was the 'select any table' privilege.
Shakespeare Received on Wed Apr 23 2008 - 10:37:39 CDT