RE: Default user permissions

  • From: "Goulet, Richard" <Richard.Goulet@xxxxxxxxxxx>
  • To: "dongranaman@xxxxxxxxxxxxxxx" <dongranaman@xxxxxxxxxxxxxxx>, Paul Drake <bdbafh@xxxxxxxxx>
  • Date: Tue, 8 Nov 2011 22:24:57 +0000

The resource role seems to be hardcoded with unlimited tablespace somewhere in 
the kernel.  Try dropping resource role and recreating it without the unlimited 
tablespace system privilege.  No dice.

Richard Goulet
Senior Oracle DBA/Na Team Leader


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Don Granaman
Sent: Tuesday, November 08, 2011 1:14 PM
To: Paul Drake
Cc: Leo.Drobnis@xxxxxxxxxxxxxxx; ORACLE-L
Subject: RE: Default user permissions

I was not (yet) aware of that one.
Sometimes I swear that half of the people at Oracle Corp have absolutely no 
idea what anyone else is doing - or why.   Another security-related example is 
that in Oracle 10.2.0.3 (at least), AUDIT_TRAIL=XML did not write LOGOFF_TIME 
(or the logoff action and time),  LOGOFF_LREAD, LOGOFF_PREAD, LOGOFF_LWRITE, 
LOGOFF_DLOCK or SESSION_CPU when the session exited.  When I noticed this, I 
filed a TAR/SR.  The first response was "So what?  This isn't security 
related."  After I pointed out that knowing when a session was connected and 
when it was not connected is definitely security-related, they grudgingly 
created a bug report (5081050) and a patch - to capture the session logoff time 
only.  As of 11.2.0.3 at least, you still cannot get the rest in XML, although 
they are all still available for AUDIT_TRAIL=OS or DB.

PS: Resource is far worse and has caused a lot of consternation/confusion over 
the years.  Create a user, grant resource to it, then "alter user ... quota 0 
on SYSTEM", then have them create a table in the SYSTEM tablespace.  (No 
problem. )  I wonder when someone who has no idea about this one will 
incorporate the resource role in some new feature...

Don Granaman | Phone: 402-361-3073 | Cell: 402-960-6955 | Fax: 402-361-3173 | 
Solutionary | Relevant . Intelligent . Security

From: Paul Drake [mailto:bdbafh@xxxxxxxxx]
Sent: Tuesday, November 08, 2011 11:30 AM
To: Don Granaman
Cc: Leo.Drobnis@xxxxxxxxxxxxxxx; ORACLE-L
Subject: Re: Default user permissions

Don,

... and what privilege was introduced with 11g in order to support access 
control lists for packages such as utl_tcp, utl_smtp?

"its baaaack".

connect.

Brilliant.

Paul
On Tue, Nov 8, 2011 at 12:21 PM, Don Granaman 
<DonGranaman@xxxxxxxxxxxxxxx<mailto:DonGranaman@xxxxxxxxxxxxxxx>> wrote:
It is been the advice of Oracle Corp and the security community for many years 
to NOT use the connect and resource roles.  In older versions of Oracle prior 
to 10g, the CONNECT role granted a LOT more than "create session".  If you want 
to grant "create session", do so - and avoid using these roles altogether.

RESOURCE is worse.  Even in 10g, it grants unlimited tablespace.


Don Granaman | Phone: 402-361-3073<tel:402-361-3073> | Cell: 
402-960-6955<tel:402-960-6955> | Fax: 402-361-3173<tel:402-361-3173> | 
Solutionary | Relevant . Intelligent . Security


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx> 
[mailto:oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Leo Drobnis
Sent: Tuesday, November 08, 2011 9:44 AM
To: ORACLE-L
Subject: Default user permissions
I am a bit puzzled, maybe I am getting rusty.


I need to create a user with bare minimum permissions:



CREATE USER bb_stage

IDENTIFIED BY "password"

DEFAULT TABLESPACE users

TEMPORARY TABLESPACE TEMP;

GRANT CONNECT TO bb_stage;

ALTER USER bb_stage QUOTA UNLIMITED ON "USERS";



Connect role only has create session.

Public has no privileges.



However the newly created user can create and drop tables.



I am trying to find where it's coming from.



Any idea???


--
//www.freelists.org/webpage/oracle-l

--
//www.freelists.org/webpage/oracle-l



--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


Other related posts: