Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Russian Oracle Security Book"] [Next entry: "Pre-Announcement - Oracle Security Training in York in 2010"]

Creating users creatively

I saw a nice post on Alex Nuijten's blog yesterday titled "Create Users with DBMS_METADATA" via my Oracle blogs aggregator that talks about Alex's use of DBMS_METADATA to copy database users from one database to another by generating the DDL for user creations including all of the granted roles, system privileges and object privileges. This is an easy way to copy users and obviously beats the old ways of trying to derive this knowledge from the data dictionary yourself.

The reason I want to highlight this is really to emphasise the fact that there is more than one way to achive something in Oracle; This is important; its not just about creating users but about deducing the privileges and status of users in this case without directly selecting that detail from the dictionary. The simplistic view of security is to protect data (in this case meta-data) at source, a simplistic view would be to review the direct select privileges on SYS.USER$ or DBA_USERS and all the associated views and base tables such as DBA_SYS_PRIVS or DBA_ROLE_PRIVS or DBA_TAB_PRIVS but there are other ways to read data in this case by using DBMS_METADATA to get the same information. This post by Alex is useful is showing that there is more than one route to user details.

There has been 2 Comments posted on this article

November 13th, 2009 at 11:33 pm

joel garry says:

I'm still wondering if it is a great idea for OCM to spit out a world-readable list of all database users every day. sleepy

November 16th, 2009 at 02:38 pm

Pete says:

Hi Joel,

Thanks for your post; obviously its crazy, crazy - there is still some way to go with basics of securing data; a lot of focus is on hacking, bugs, CPU's, exploits etc which is fine but some of the focus needs to be on the basics; default installs, passwords, data leaks, configuration.... i.e. all the bits we as customers of Oracle are responsible for.