Would you recommend such an application for production use?
- From: Martin Bach <development@xxxxxxxxxxxxxxxxx>
- To: ORACLE-L <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 17 Feb 2010 21:20:04 +0000
Dear listers,
I tried to come up with a good name for this post but couldn't. So here
goes the story:
I have been asked to review a product that management is _very_ keen to
deploy in production. Unfortunately before this can happen it has to go
through a change management process which implies that "troublemakers"
like me can raise their concerns that need addressing. For a change I
have access to the source code of the application which makes it even
more interesting.
I discovered a number of things I don't like but was wondering what you
thought about these-maybe I'm just pedantic? Among the most terrifying
ones are:
- The installation script creates a user (default username = password)
and grants select privileges on the dictionary to the new application
user with grant option.
This is not too great but not too difficult to harden.
- the installation script furthermore creates objects in the sys schema,
namely create view foo as select * from someX$view
This is disturbing for me
- the owner of the application schema grants almost complete access on
its schema to public. The rationale is that the application needs to
allow a user logging into the database through the frontend access to
its schema
Now since the software is used for monitoring the health of a web
application through the tiers-including Oracle-anyone with connect
privileges could access these data...
Did anyone made a similar experience? What did you do?
Interested to hear comments!
Martin
--
//www.freelists.org/webpage/oracle-l
Other related posts:
