Re: grant create any directory to schema

• From: Jeff Chirco <backseatdba@xxxxxxxxx>
• To: emjay.mody@xxxxxxxxx
• Date: Tue, 22 Dec 2015 07:21:54 -0800

The users don't directly log onto the database, the application is logging
in on their behalf. The developers want to write some pl/sql procedure to
output data to a file for the user based on the session client OS user.
This is a home grown ERP application running on Unix so we can see the
session OS user. They wanted to recreate the directory with the path
changing to whomever is logged in. It is a simple application. However we
decided that we will just create a directory for every user that would be
using this part of the application so I don't have to give the schema the
create any directory privilege.



On Tue, Dec 22, 2015 at 12:08 AM, MJ Mody <emjay.mody@xxxxxxxxx> wrote:

My $0.02, and to echo earlier sentiments, the average auditor does what is
called a ‘check the box’ audit. If anyone is curious, the next generation
of IT auditors require practitioners to wear the audit hat (no white, grey,
red or black hat - audit hat - full-stop).

A tangent to initial question and something I’ve been privy to in DBA
travels (don’t bother asking - in the land of the blind, the one eyed human
is king) is if directories are used, it is an assumption eternal tables may
be used. If so, Oracle ‘canned’ stats does not play nicely with an
external table not having a dependent file. What we have learned is to have
a stub file (empty text file with the filename) or disable the ‘canned’
stats and actually own the stats collection tasks/operations.

MJ

On Dec 22, 2015, at 1:46 AM, Mladen Gogala <gogala.mladen@xxxxxxxxx>

wrote:

On 12/21/2015 08:54 PM, Andrew Kerber wrote:

Yes it will be. Unfortunately your average auditor doesn't have the

skill set to understand whether or not it really is a security problem.

Sent from my iPad

The auditors don't have skills to figure out real security problems,

here we do fully agree, but they do have checklists, which make them a pain
in the neck or lower and supplant their technical skills. My favorite
recommendation by the auditors is not to use user SYS for backup but to
create another user for that. Of course, before the advent of fairly badly
messed up SYSBACKUP role in 12c, that meant creating another SYSDBA user.
And having two different SYSDBA users, with two different passwords, is
somehow more secure than having just one?

--
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com

--
//www.freelists.org/webpage/oracle-l

--
//www.freelists.org/webpage/oracle-l

• References:
  • Re: grant create any directory to schema
    • From: rob
  • Re: grant create any directory to schema
    • From: Andrew Kerber
  • Re: grant create any directory to schema
    • From: Mladen Gogala
  • Re: grant create any directory to schema
    • From: MJ Mody

Other related posts:

• » grant create any directory to schema- Jeff Chirco
• » Re: grant create any directory to schema- MJ Mody
• » Re: grant create any directory to schema- Sayan Malakshinov
• » Re: grant create any directory to schema- rob
• » Re: grant create any directory to schema- MJ Mody
• » Re: grant create any directory to schema- Andrew Kerber
• » grant create any directory to schema- kathryn axelrod
• » Re: grant create any directory to schema- Mladen Gogala
• » Re: grant create any directory to schema- Mladen Gogala
• » Re: grant create any directory to schema- MJ Mody
• » Re: grant create any directory to schema - Jeff Chirco

1. Home
2. oracle-l
3. Archive
4. 12-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---