| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Is Statspack a Security Problem?
Thanks Ian.
Have a beer on me, you earned it with this info.
Yechiel Adar
Mehish
----- Original Message -----
To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
Sent: Wednesday, July 24, 2002 11:51 PM
Ian,
You are likely to win the wager on this one. I discovered the "public"
when i was trying to secure my database. There are grants to public all
over the place. I would be very interested to know and understand why
Oracle did grant so much to public and what can be safely revoked.
Ron
ROR mô¿ôm
>>> ian_at_SLAC.Stanford.EDU 07/24/02 04:20PM >>>
I'm not saying it's not fixable. The creation of dba level accounts
such as dbsnmp and outln by Oracle is fixable as well. But I'll wager
there are folks out there who didn't know the grants on the statspack
tables were to public.
Of course none of our developers or ad hoc query writers would ever write a statement that doesn't use bind variables. I have it on good authority that the same holds true for all Oracle sites everywhere. :)
Ian MacGregor
Stanford Linear Acclerator Center
ian_at_SLAC.Stanford.edu <mailto:ian_at_SLAC.Stanford.edu>
-----Original Message-----
Sent: Wednesday, July 24, 2002 11:56 AM
To: Multiple recipients of list ORACLE-L
Why not just backup the spctab.sql script and then in vi do a
g:/PUBLIC/s//DBA or whatever
role you choose to play with statspack before running. Although bind
vars are still
appropriate too.
Rodd Holman
On Wed, 2002-07-24 at 12:23, kkennedy wrote:
Sounds like yet another good reason for using bind variables 8-)
Kevin Kennedy
First Point Energy Corporation
-----Original Message-----
Sent: Wednesday, July 24, 2002 8:23 AM
To: Multiple recipients of list ORACLE-L
To wit:
$grep -i grant spctab.sql
<snip>
grant select on STATS$SQLTEXT to PUBLIC;
grant select on STATS$SQL_STATISTICS to PUBLIC;
grant select on STATS$LEVEL_DESCRIPTION to PUBLIC;
grant select on STATS$IDLE_EVENT to PUBLIC;
grant select on STATS$PARAMETER to PUBLIC;
grant select on STATS$STATSPACK_PARAMETER to PUBLIC;
Notice the grants on stats$sqltext and stats$sql_summary. Should anyone who logs into the database be able to see nearly SQL run against it. Oracle appears to truncate alter user statements so that one cannot find 'alter user blatz identified by password;' but one may stumble on update sal_table
set sal = 100 where empoyee_id = 5;' or something to that effect.
Ian MacGregor
Stanford Linear Accelerator Center
ian_at_SLAC.Stanford.edu
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ron Rogers INET: RROGERS_at_galottery.org Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Yechiel Adar INET: adar76_at_inter.net.il Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Thu Jul 25 2002 - 03:46:14 CDT
 |
 |