Re: how to give user privilege to browse the source code in prodution
From: joel garry <joel-garry_at_home.com>
Date: Wed, 29 Sep 2010 14:37:41 -0700 (PDT)
Message-ID: <ed4befa6-aab0-4591-9009-4eab8678a97a_at_c28g2000prj.googlegroups.com>
On Sep 29, 9:02 am, charles <dshprope..._at_gmail.com> wrote:
> Thanks David.
>
> We are a new Oracle shop, we are building all those new rules for this
> new world
>
> Our developer team strongly wanted it. They do not want to use SQL to
> select against a view. They want to use some gui tool like SQL
> developer/SQL navigator to browse.
>
> I searched on Pete's site, he only mentioned "never grant select any
> dictionary".
>
> On oracle's website, it also mentioned
> You should grant this privilege with extreme care, because the
> integrity of your system can be compromised by their misuse.
>
> But Oracle does not give details how the misuse could cause the
> integrity of our database.
>
> To convince the judge, our supervisor, i need to give some details,
> some examples, which is hard to find on internet. The only thing i
> found so far is dba_users has a password column.
Date: Wed, 29 Sep 2010 14:37:41 -0700 (PDT)
Message-ID: <ed4befa6-aab0-4591-9009-4eab8678a97a_at_c28g2000prj.googlegroups.com>
On Sep 29, 9:02 am, charles <dshprope..._at_gmail.com> wrote:
> Thanks David.
>
> We are a new Oracle shop, we are building all those new rules for this
> new world
>
> Our developer team strongly wanted it. They do not want to use SQL to
> select against a view. They want to use some gui tool like SQL
> developer/SQL navigator to browse.
>
> I searched on Pete's site, he only mentioned "never grant select any
> dictionary".
>
> On oracle's website, it also mentioned
> You should grant this privilege with extreme care, because the
> integrity of your system can be compromised by their misuse.
>
> But Oracle does not give details how the misuse could cause the
> integrity of our database.
>
> To convince the judge, our supervisor, i need to give some details,
> some examples, which is hard to find on internet. The only thing i
> found so far is dba_users has a password column.
And that's all you need. http://www.sans.org/reading_room/special/?id=oracle_pass
Actually, anyone who can make a full=y rows=n export can grep for "CREATE USER" in the export file. But don't tell anybody, you wouldn't want to make it too easy for script kiddies on the intertubes, like your undoubtedly curious developers.
I think this is all mooted in 11g. And made worse in some apps.
Also see http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
jg
-- _at_home.com is bogus. http://abcnews.go.com/Travel/las-vegas-hotel-pool-sunlight-swimming-tourists/story?id=11739234Received on Wed Sep 29 2010 - 16:37:41 CDT