Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Revoke object privileges from PUBLIC

ChewyApr 14 2012 — edited Apr 14 2012
Hi Guys,

Database: 10.2.0.5

Recently we have an audit carried on one of our production DB:
We are advised by the auditor to:

1. revoke execute from public for the below packages/function:
UTL_SMTP
UTL_TCP
UTL_HTTP
UTL_FILE
DBMS_RANDOM

2. revoke table access privileges (select,update,delete) from public:
The owner of the tables where privileges granted to public are basically the below which i believe are granted by default during creation of db:

CTXSYS
DMSYS
EXFSYS
MDSYS
OLAPSYS
ORDPLUGINS
ORDSYS
SYS
SYSTEM
WMSYS
XDB


I understand the risk of granting to public, it means every database ID in the database can use the access granted to public.
Since it's granted default by oracle, should we actually remove it? I'm afraid that if i remove it, it will cause some complications.
Since it's identified as security findings, Why doesn't oracle grant only to users that require it instead it of public as default?
Kindly avdvise.

thanks!
This post has been answered by Mark D Powell on Apr 14 2012
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 12 2012
Added on Apr 14 2012
#general-database-discussions
3 comments
645 views