On 12/21/2015 07:20 PM, Jeff Chirco wrote:
I have some developers that want to give the CREATE ANY DIRECTORY privilege to a schema (a locked schema in production). They reason is because they would like to use the same directory name but change its location based on the OS user that is logged in. So a file will get read or created in that users home directory.Why would application schema need to procreate directories? Am I reading this correctly? End-users have access to the database server? Usually, the only interaction of the end users with the database server happens if the DBA shows the picture of the server.
To me this seems like a security issue because then in Test/Dev a programmer could change the code to point at any directory they wanted to read potential sensitive data.
Has anybody dealt with something like this? Is there a way to restrict them (by user) to only creating a directory within a certain folder structure?
Jeff