RE: Would you recommend such an application for production use?
- From: "Joel Slowik" <jslowik@xxxxxxxxx>
- To: <development@xxxxxxxxxxxxxxxxx>, "ORACLE-L" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 17 Feb 2010 16:27:29 -0500
"
- the owner of the application schema grants almost complete access on
its schema to public. The rationale is that the application needs to
allow a user logging into the database through the frontend access to
its schema
"
We have had the same setup here. The work-around was to create a role
which most users are granted.
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-
> bounce@xxxxxxxxxxxxx] On Behalf Of Martin Bach
> Sent: Wednesday, February 17, 2010 4:20 PM
> To: ORACLE-L
> Subject: Would you recommend such an application for production use?
>
> Dear listers,
>
> I tried to come up with a good name for this post but couldn't. So
here
> goes the story:
>
> I have been asked to review a product that management is _very_ keen
to
> deploy in production. Unfortunately before this can happen it has to
go
> through a change management process which implies that "troublemakers"
> like me can raise their concerns that need addressing. For a change I
> have access to the source code of the application which makes it even
> more interesting.
>
> I discovered a number of things I don't like but was wondering what
you
> thought about these-maybe I'm just pedantic? Among the most terrifying
> ones are:
>
> - The installation script creates a user (default username = password)
> and grants select privileges on the dictionary to the new application
> user with grant option.
>
> This is not too great but not too difficult to harden.
>
> - the installation script furthermore creates objects in the sys
> schema,
> namely create view foo as select * from someX$view
>
> This is disturbing for me
>
> - the owner of the application schema grants almost complete access on
> its schema to public. The rationale is that the application needs to
> allow a user logging into the database through the frontend access to
> its schema
>
> Now since the software is used for monitoring the health of a web
> application through the tiers-including Oracle-anyone with connect
> privileges could access these data...
>
> Did anyone made a similar experience? What did you do?
>
> Interested to hear comments!
>
> Martin
> --
> //www.freelists.org/webpage/oracle-l
>
Confidentiality Note: This electronic message transmission is intended only for
the person or entity to which it is addressed and may contain information that
is privileged, confidential or otherwise protected from disclosure. If you have
received this transmission, but are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution or use of the contents of
this information is strictly prohibited. If you have received this e-mail in
error, please contact Continuum Performance Systems at {203.245.5000} and
delete and destroy the original message and all copies.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
