Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How do you grant connection permission to a user?

Re: How do you grant connection permission to a user?

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Wed, 28 May 2003 11:22:03 +0100
Message-ID: <wKwkRHBL3I1+EwPB@peterfinnigan.demon.co.uk> 





In article <s6t4dv4s923c0tl97q3rqfa4fbq53d03qh_at_4ax.com>, Sybrand Bakker
<gooiditweg_at_sybrandb.demon.nl> writes



>Could you please have the issue adressed in the installation scripts

>Oracle delivers, or make it clear to *all* third-party vendors one

>shouldn't do this? CONNECT, RESOURCE, DBA is *OMNIPRESENT* in

>virtually *ALL* third-party software!!! (I'm not joking!)




Hi



What about the ridiculousness of default users being granted ALL
PRIVILEGES such as MDSYS, CTXSYS and WKSYS. 



SQL> select count(*),grantee


  2  from dba_sys_privs


  3  group by grantee;



  COUNT(*) GRANTEE


---------- ------------------------------
         3 AQ_ADMINISTRATOR_ROLE
         1 AURORA$JIS$UTILITY$
         2 AURORA$ORB$UNAUTHENTICATED
         8 CONNECT
       115 CTXSYS
       114 DBA
         2 DBSNMP
         5 EXP_FULL_DATABASE
        10 HVST
        65 IMP_FULL_DATABASE
       115 MDSYS





For instance the installation script in $ORACLE_HOME/md/admin/mdprivs.sq
l has a set of grants commented out and the line "grant all privileges
to MDSYS with admin option" added. hmmmmmm..... is there really a reason
a user needs every privilege with admin option, I think not.



I raised this as a security bug to Oracle about 9 months ago to have the
installation scripts changed, i asked for an update 5 months ago and had
no answer. Lets hope that they finally fix it.



kind regards



Pete


-- 
Pete Finnigan

Email : pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com

Pete is the founder of PeteFinnigan.com Limited a UK based company specialising 
in Oracle security audits and services. Email info_at_petefinnigan.com for details 
and availability.

Pete Finnigan is the  author of the recently published book about Oracle 
security from the SANS  Institute "Oracle security Step-by-step (A survival 
guide for Oracle security)" - see http://store.sans.org for details.

Some recently published articles include:

http://online.securityfocus.com/infocus/1689 - "Introduction to simple Oracle
auditing"

http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part 
one"

http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part 
two"


Received on Wed May 28 2003 - 05:22:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US