Path: dp-news.maxwell.syr.edu!spool.maxwell.syr.edu!drn.maxwell.syr.edu!news.maxwell.syr.edu!border1.nntp.dca.giganews.com!nntp.giganews.com!newsfeed-east.nntpserver.com!nntpserver.com!newsfeed-west.nntpserver.com!green.octanews.net!news-out.octanews.net!authen.white.readfreenews.net.POSTED!not-for-mail
Date: Fri, 09 Sep 2005 17:58:43 +0200
From: Umberto <umberto.quaia@tin.it>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.databases.oracle.server
Subject: Re: Oracle Security Issue
References: <YWhUe.333$Ma.43@fe07.lga>
In-Reply-To: <YWhUe.333$Ma.43@fe07.lga>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 40
Message-ID: <4321b136$0$91768$892e7fe2@authen.white.readfreenews.net>
Organization: Read Free News
NNTP-Posting-Date: 09 Sep 2005 10:58:47 CDT
NNTP-Posting-Host: 9b9b8985.authen.white.readfreenews.net
X-Trace: DXC=Yggni>oia9bYMlSX[hFWRkb_[jUcf=dBgPH=X44`;MPi?G1KUFX1mbm05idTa2@M?j\1fk>QH1kVddT:n6QNEM`c]:>EI_<k7<bHlOo592b2_b
X-Complaints-To: abuse@readfreenews.net
Xref: dp-news.maxwell.syr.edu comp.databases.oracle.server:251177

miloann2002 wrote:
> I have the following questions in the Oracle 8 and 9 platforms:
> 
> 1.     Does the roles need to set password?  If no password, any negative
> impact?

No. Just don't grant the roles to the wrong users... ;-)

> 2.     Can user data / objects be put in the system tablespace? 

No, if database administrator is wise enough not to 
give/leave quotas on SYSTEM. Of course, the database 
administrator can, but it's not advisable, even SYSTEM's 
objects should not be put on SYSTEM (TOOLS is set up by 
standard installation).

> Can this cause denial of services?

Yes, if SYSTEM tablespace fills up it can have weird 
consequences...

> 3.     Is it critical to set password life, password reuse, and other
> password settings?  If we have robust operating system and application
> security, do we still need to configure the password settings in Oracle?

In many countries, laws require passwords to be changed 
periodically, so, depending on environment, it may be required.
Moreover, it automatically locks out unneeded/unused accounts.

Remember that overall security is the one of the weakest 
link, so if SYSTEM's or a critical user's password is weak, 
someone could log in and sabotage the database without 
involving OS or application security.

> 
> Thanks.
> 
> 

Umberto