Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

oracle priveleges

Aside from the DBA role privs set in DBA_ROLE_PRIVS, are there any othe rdefault priveleges that are "high risk" if granted to the wrong person, if so can you provide some other dangerous privelege that we should check for and the types of permissions they would allow to the users to do in your database. I guess DBA role is the highest privelege, as SYS and SYSTEM get it?
ASKER CERTIFIED SOLUTION
Avatar of johnsone
johnsone
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Thanks - I did have some docs on the packages, I could never really understand why DBMS_RANDOM was a security issue though - can you shed any light? I know some of the others listed allow for access outside the DB and on the OS/file system etc., and I guess some like DBMS_SQL may allow for elevation or priveleges etc, i. basic user running queries under the context of a DBA.
Avatar of slightwv (䄆 Netminder)
slightwv (䄆 Netminder)
Never bothered to look it up.  I just follow orders...  ;)

Even if I had Larry Ellison himself tell our security folks that dbms_random is "safe", I would still have to revoke it.

Looks like someone wrote a book on the subject.  From the explanation there, it sounds believable.

https://books.google.com/books?id=KPohQPM8CEYC&pg=PA132&lpg=PA132&dq=security+hole+dbms_random&source=bl&ots=wOGr75Jatk&sig=xrA5hOZsRtqLR-WDukp3yw-Sd-Q&hl=en&sa=X&ei=bNVZVfKcJYKCyQSgh4GACQ&ved=0CB4Q6AEwAA#v=onepage&q=security%20hole%20dbms_random&f=false

Is it "true"?  It has to be, I found it on the Internet...