Re: grant create any directory to schema

  • From: Mladen Gogala <gogala.mladen@xxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Tue, 22 Dec 2015 02:40:05 -0500

On 12/21/2015 07:20 PM, Jeff Chirco wrote:

I have some developers that want to give the CREATE ANY DIRECTORY privilege to a schema (a locked schema in production). They reason is because they would like to use the same directory name but change its location based on the OS user that is logged in. So a file will get read or created in that users home directory.
To me this seems like a security issue because then in Test/Dev a programmer could change the code to point at any directory they wanted to read potential sensitive data.
Has anybody dealt with something like this? Is there a way to restrict them (by user) to only creating a directory within a certain folder structure?

Jeff
Why would application schema need to procreate directories? Am I reading this correctly? End-users have access to the database server? Usually, the only interaction of the end users with the database server happens if the DBA shows the picture of the server.
Also, reading files from directories, hopefully not using UTL_FILE, is not the only way to access file system. There are programming languages like Java, Python, Perl or PHP which are fairly good with that. My personal preferences are Perl and PHP, but there are also infidels using Java and other things. There is no reason whatsoever to have the end users on the DB server, period.

--
Mladen Gogala
Oracle DBA
http://mgogala.freehostia.com

--
//www.freelists.org/webpage/oracle-l


Other related posts: