RE: Password for sys, system account - Uncooperative client

• From: "Powell, Mark D" <mark.powell@xxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Thu, 9 Jun 2005 11:44:58 -0400

If you have read on dba_users then you potentially have access to a
means of connecting as any user.  The technique involves understanding
how Oracle creates users via import.  This is a security hole opened up
by select any table or select catalog privilege.

HTH -- Mark D Powell --

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of John P Weatherman
Sent: Thursday, June 09, 2005 11:36 AM
To: Reidy,Ron; oracle-l@xxxxxxxxxxxxx
Subject: RE: Password for sys, system account - Uncooperative client

Ron,

I read the article and see where it says not to grant it, but I do not
see anything about it "subverting" anything.  Rather it seems to be a
concern that this may be more privilege than is needed and so violates
the "least privilege principle".   I wouldn't want to generally grant
this or any "ANY" privilege, but I still do not see a specific risk to
granting admins/consultant admins this level of view privilege.  Are you
able to use this to 1) see actual company data and not just the
dictionary views or 2) update anything?  If not, what is the specific
concern?  What am I missing?

Thanks!

-----Original Message-----
From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
Sent: Jun 9, 2005 10:59 AM
To: asahoshi@xxxxxxxxxxxxxx, oracle-l@xxxxxxxxxxxxx
Subject: RE: Password for sys, system account - Uncooperative client

Because it subverts a security setting.  See
http://www.petefinnigan.com/weblog/archives/00000009.htm

-----------------
Ron Reidy
Lead DBA
Array BioPharma, Inc.


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of John P Weatherman
Sent: Thursday, June 09, 2005 8:54 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Password for sys, system account - Uncooperative client


While I totally agree that sys and system don't need to be given to
anyone other than the primary DBA and then sealed in an envelope hidden
away in a safe, I am not so clear on why granting select any dictionary
is as big a concern.  As far as I know, this only allows view access to
the data dictionary, which pretty much anyone doing any tuning or
monitoring probably needs.  Even OEM assumes a non-sys/non-system
account with this level of privilege which is used for monitoring.  Is
there a specific reason not to let people have select any dictionary? =20

Just curious.

-----Original Message-----
From: "Goulet, Dick" <DGoulet@xxxxxxxx>
Sent: Jun 9, 2005 10:35 AM
To: ranko.mosic@xxxxxxxxx, oracle-l@xxxxxxxxxxxxx
Subject: RE: Password for sys, system account - Uncooperative client

Assuming that you made the request of the client using the same tone as
here, I'm not surprised.  Why do you need an account with such
priviledges?  In general NO one outside of the DBA group here has access
to SYS or SYSTEM, including internal folks.

Dick Goulet
Senior Oracle DBA
Vicor Corporation
Andover, MA USA=3D20

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Ranko Mosic
Sent: Thursday, June 09, 2005 10:27 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Password for sys, system account - Uncooperative client

Hi all,=3D3D20
I need password for account  with select dictionary privileges - client
is=3D3D =3D3D20 not too cooperative.=3D3D20

Regards, Ranko.
--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l


-------------------------------------------------------
He has showed you, O man, what is good.  And what does the LORD require
of you?  To do justice and to love mercy and to walk humbly with your
God.=20
Micah 6:8

--
//www.freelists.org/webpage/oracle-l

This electronic message transmission is a PRIVATE communication which
contains information which may be confidential or privileged. The
information is intended to be for the use of the individual or entity
named above. If you are not the intended recipient, please be aware that
any disclosure, copying, distribution or use of the contents of this
information is prohibited. Please notify the sender  of the delivery
error by replying to this message, or notify us by telephone
(877-633-2436, ext. 0), and then delete it from your system.



-------------------------------------------------------
He has showed you, O man, what is good.  And what does the LORD require
of you?  To do justice and to love mercy and to walk humbly with your
God.=20
Micah 6:8

--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l

Other related posts:

• » Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » Re: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » Re: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client
• » RE: Password for sys, system account - Uncooperative client

1. Home
2. oracle-l
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---