All,

We are at Oracle 10g. We need to let our developer to browse source
code like packages/functions/triggers.

The only way i can think of is grant select any dictionary. Is there
any security risk there by doing that? What is other options?

Thanks for your help

"charles" <dshproperty (AT) gmail (DOT) com> a écrit dans le message de news:
880b62ca-c4c1-4d7e-9d16-b87d391a4b7a...oglegroups.com...
Create a procedure in procedure/... owner schema that displays
the code source and grant developers the privilege to execute this
procedure.

Regards
Michel

On Sep 22, 4:46*pm, "Michel Cadot" <micadot{at}altern{dot}org> wrote:
Here is what we did. I took the source code for USER_SOURCE and
created a view using this source with the current user restriction
removed. The view returns all source. Access is control via granting
the select privilege on the view. It would also be easy to restrict
the source code being displayyed to that belonging to specific
application code owners.

HTH -- Mark D Powell --

Am 22.09.2010 22:43, schrieb charles:

If you don't trust your developers to browse the source code, how come you
trust them to develop/debug your applications?

Regards
Peter

--
The only way to keep your health is to eat what you don't want, drink what
you don't like, and do what you'd rather not. -- Mark Twain

On Sep 23, 9:46*am, Mark D Powell <Mark.Powe... (AT) hp (DOT) com> wrote:

Now, could you tell me what is the risk if i gave them select any
dictionary, the only thing i guess is the password column exposed in
dba_users. And we will lock the account if more than 10 failed
logins. Any other concern i can tell my supervisor if i grant "select
any dictionary"?

On Sep 23, 4:36*pm, charles <dshprope... (AT) gmail (DOT) com> wrote:
They do not need 'select any dictionary'. You should follow Mark's
advice and create a view based on the definition of user_source but
include all of your application owners. That you still want to use
the easy way out is a mystery to me. These developers are not DBAs
and should not have 'select any dictionary' privilege.


David Fitzjarrell

On Sep 23, 1:36*pm, charles <dshprope... (AT) gmail (DOT) com> wrote:
http://lmgtfy.com/?q=%22select+any+d...+pete+finnigan

jg
--
@home.com is bogus.
http://www.signonsandiego.com/news/2...-for-inflight/

Thanks David.

We are a new Oracle shop, we are building all those new rules for this
new world

Our developer team strongly wanted it. They do not want to use SQL to
select against a view. They want to use some gui tool like SQL
developer/SQL navigator to browse.

I searched on Pete's site, he only mentioned "never grant select any
dictionary".

On oracle's website, it also mentioned
You should grant this privilege with extreme care, because the
integrity of your system can be compromised by their misuse.

But Oracle does not give details how the misuse could cause the
integrity of our database.

To convince the judge, our supervisor, i need to give some details,
some examples, which is hard to find on internet. The only thing i
found so far is dba_users has a password column.

On Sep 29, 9:02*am, charles <dshprope... (AT) gmail (DOT) com> wrote:
And that's all you need. http://www.sans.org/reading_room/spe...id=oracle_pass

Actually, anyone who can make a full=y rows=n export can grep for
"CREATE USER" in the export file. But don't tell anybody, you
wouldn't want to make it too easy for script kiddies on the
intertubes, like your undoubtedly curious developers.

I think this is all mooted in 11g. And made worse in some apps.

Also see http://www.oracle.com/technetwork/da...e-1-132870.pdf

jg
--
@home.com is bogus.
http://abcnews.go.com/Travel/las-veg...ry?id=11739234