Oracle permission

HI,

we try to run Mcafee DB scanner to scan for Oracle DB security related issue.

and the permission for the account connect to the Oracle DB is control by this script:

-- necessary to be able to connect to the database
grant create session to &vausername;

-- necessary for DML triggers delay time
grant execute on dbms_lock to &vausername;

-- the following grants is needed for checks:
-- ORACONF353, ORACONF347
create or replace view sys.x_$ksppi as select * from sys.x$ksppi;
create or replace view sys.x_$ksppcv as select * from sys.x$ksppcv;

grant select on sys.x_$ksppi to &vausername;
grant select on sys.x_$ksppcv to &vausername;

-- grant the privileges to be able to read database link passwords
-- and old database passwords stored in user_history$ (optional)
grant select on sys.link$ to &vausername;
grant select on sys.user_history$ to &vausername;
-- required for several CIS benchmark checks
grant execute on sys.dbms_crypto to &vausername;

Open in new window


do you think the above permission allow writing anything to the Oracle DB?
LVL 1
marrowyungSenior Technical architecture (Data)Asked:
Who is Participating?
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
Create Session allows login.
Execute allows executing stored procedures. When those stored procedures are performing any changes, it depends on the procedure. But the assigned ones are very limited, so no.
Select allows select. No changes allowed.

So what are you concerned about?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I cannot see any write permissions defined here.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
not even update to any system table ?any reference link ?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Mark GeerlingsConnect With a Mentor Database AdministratorCommented:
I agree that those grants do not allow the user to do any inserts, updates or deletes (at least not directly).  The "execute" permission on the dbms_crypto and dbms_lock packages will allow the user to do whatever inserts, updates or deletes that the functions and procedures in those package may do (if any).  But the user will not be able to do any explicit inserts, updates or deletes.  The user also will not be able to create or change any database objects or permissions on objects.
0
 
slightwv (䄆 Netminder)Connect With a Mentor Commented:
>>do you think the above permission allow writing anything to the Oracle DB?

I see no problem unless there is something or hole in dbms_crypto or dbms_lock that could be exploited.
0
 
johnsoneConnect With a Mentor Senior Oracle DBACommented:
User would be allowed to make changes if privileges are granted to PUBLIC.  But, none of the privileges listed would seem to directly grant write access.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
ok, tks.
0
 
marrowyungSenior Technical architecture (Data)Author Commented:
tks all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.