"Pete Finnigan" <pete_at_petefinnigan.com> wrote in message
news:wKwkRHBL3I1+EwPB_at_peterfinnigan.demon.co.uk...
> In article <s6t4dv4s923c0tl97q3rqfa4fbq53d03qh_at_4ax.com>, Sybrand Bakker
> <gooiditweg_at_sybrandb.demon.nl> writes
>
> >Could you please have the issue adressed in the installation scripts
> >Oracle delivers, or make it clear to *all* third-party vendors one
> >shouldn't do this? CONNECT, RESOURCE, DBA is *OMNIPRESENT* in
> >virtually *ALL* third-party software!!! (I'm not joking!)
>
> Hi
>
> What about the ridiculousness of default users being granted ALL
> PRIVILEGES such as MDSYS, CTXSYS and WKSYS.
>
> SQL> select count(*),grantee
> 2 from dba_sys_privs
> 3 group by grantee;
>
> COUNT(*) GRANTEE
> ---------- ------------------------------
> 3 AQ_ADMINISTRATOR_ROLE
> 1 AURORA$JIS$UTILITY$
> 2 AURORA$ORB$UNAUTHENTICATED
> 8 CONNECT
> 115 CTXSYS
> 114 DBA
> 2 DBSNMP
> 5 EXP_FULL_DATABASE
> 10 HVST
> 65 IMP_FULL_DATABASE
> 115 MDSYS
>
> For instance the installation script in $ORACLE_HOME/md/admin/mdprivs.sq
> l has a set of grants commented out and the line "grant all privileges
> to MDSYS with admin option" added. hmmmmmm..... is there really a reason
> a user needs every privilege with admin option, I think not.
>
> I raised this as a security bug to Oracle about 9 months ago to have the
> installation scripts changed, i asked for an update 5 months ago and had
> no answer. Lets hope that they finally fix it.
>
> kind regards
>
> Pete
>
Fair enough, and I agree, but these are only defaults.
Any Oracle DBA worth half his/her salary is not going to go with the
defaults.
Regards,
Paul
Received on Thu May 29 2003 - 15:22:16 CDT
