Home » SQL & PL/SQL » SQL & PL/SQL » Do users ever create tables in these schemas? (18)
| Do users ever create tables in these schemas? [message #689668] |
Sun, 17 March 2024 08:31  |
 |
Darth Waiter
Messages: 78
Registered: October 2020
|
Member |
|
|
When I query tables from a brand-new installation of Oracle that no user has ever touched, there are tables in the following schemas:
'SYS'
,'SYSMAN'
,'SYSTEM'
,'MDSYS'
,'WMSYS'
,'TSMSYS'
,'DBSNMP'
,'OUTLN'
,'DVSYS'
,'ORDDATA'
,'GSMADMIN_INTERNAL'
,'DBSFWUSER'
,'XDB'
,'ORDSYS'
,'OLAPSYS'
I am only interested in tables, no other types of objects. Tables with or without indexes, if it matters.
Since it is technically possible for a superuser to create tables even in SYS, I am not sure. In MS SQL it is not possible to create a table in SYS, even for sa. Since it is possible in Oracle, I am not sure I can even rely on the list above to filter out system tables.
|
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689670 is a reply to message #689668] |
Sun, 17 March 2024 12:59  |
 |
Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe
|
Senior Member
Account Moderator |
|
|
In Oracle, nobody can create anything, anywhere, unless allowed to. How to allow it?
The simplest option is to provide username/password combination. If you (presuming you're a DBA) don't share that info with anyone, no problem.
Another option is to grant privileges (e.g. CREATE ANY TABLE) which will let that particular user create tables in any other schema. As DBA grants all privileges to all users in your database, it is - again - your responsibility NOT to grant such privileges.
Remember, when you (as a DBA) create user in your Oracle database, you do that with CREATE USER statement and provide its password. Initially, that user can't do anything, absolutely nothing. It can try to connect, but won't succeed until you grant it CREATE SESSION - then it'll be able to connect, and - again - do nothing until you grant it something more, such as CREATE TABLE - then it'll be able to create table in its own schema, insert rows into it, query its own tables etc. But that's restricted to its own schema, it can't do anything with any other schema.
Therefore, keep passwords and privileges safe, and your database will remain safe.
[Updated on: Mon, 18 March 2024 01:10] Report message to a moderator |
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689672 is a reply to message #689671] |
Sun, 17 March 2024 14:41 |
 |
Michel Cadot
Messages: 68647
Registered: March 2007
Location: Nanterre, France, http://...
|
Senior Member
Account Moderator |
|
|
Darth Waiter wrote on Sun, 17 March 2024 19:04John Watson wrote on Sun, 17 March 2024 12:57If you look at dba_users.oracle_maintained you will see all the schemas in which you should not create objects.
Is 'should not' somehow enforced or is that a gentleman's agreement?
Littlefoot answered this question which is by the way underlied in my answers in your previous topics.
There is nothing to enforce, just things to not allow, by default, everything is forbidden.
[Updated on: Sun, 17 March 2024 14:49] Report message to a moderator |
|
|
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689675 is a reply to message #689673] |
Mon, 18 March 2024 02:05 |
John Watson
Messages: 8931
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
Quote:An arbitrary DBA or developer may create them even under SYS
You think so?C:\Users\john>sqlplus system/oracle
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Mar 18 07:03:32 2024
Version 19.17.0.0.0
Copyright (c) 1982, 2022, Oracle. All rights reserved.
Last Successful login time: Sun Mar 17 2024 13:41:40 +00:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.17.0.0.0
orclz> conn system/oracle
Connected.
orclz> create table sys.cannot(c1 date);
create table sys.cannot(c1 date)
*
ERROR at line 1:
ORA-01031: insufficient privileges
orclz>
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689676 is a reply to message #689675] |
Mon, 18 March 2024 05:15 |
cookiemonster
Messages: 13920
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
And if an arbitrary dev/DBA can log in as sys then they absolutely can create tables in sys.
In fact all the devs in my company have sys access on the dev DBs and for us it isn't a problem, but that's because we spin up our own dev server in the cloud and we are responsible for our own.
And we all know better than to create stuff in sys.
And if someone didn't it'd just mess up their server and would be blocked from entering source code on review.
Then test instances are more locked down and production are far more locked down.
|
|
|
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689679 is a reply to message #689677] |
Mon, 18 March 2024 08:36 |
cookiemonster
Messages: 13920
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
Michel Cadot wrote on Mon, 18 March 2024 11:50
OK but why not prevent from doing such things at the source instead of detecting them during review? It just a waste of resources and time and money for the company.
Why any developer should have access to SYS?
because sometimes we need to do changes that require sys access. We don't have a team of dev DBAs. and the devs who do that that stuff are all people with deep oracle knowledge.
Could we make another dba user that would have the access needed? sure
would we occasionally need actual sys access anyway? probably
Michel Cadot wrote on Mon, 18 March 2024 11:50
Even if security in dev environment is more relaxed, it does mean it could be anything.
If a developer kills a dev db who will recreate it? What about the lost time for all developers?
dev instances in the cloud, created from source using a Jenkins pipeline (creates a linux image, installs oracle, installs application on top). To recreate you just enter your instance details on a web page and press go.
Only the developer who killed their instance is affected and if they made a habit of it someone would be having a word.
Point is that our processes are such that that level of access on dev doesn't cause us problems, and if they did routinely cause us problems we would change the process.
And the level of access on instances that we aren't prepared to rebuild at the drop of a hat is greatly curtailed.
Michel Cadot wrote on Mon, 18 March 2024 11:50
OP's issue, in short, is that some high privileges has been granted to user now he has to check they didn't use them.
In his previous topic, it was a script is given to DBA to be deployed but he wants this DBA to understand the script before executing it. But these scripts should have been validated before and the DBAs who deploy them haven't to analyze but just to execute.
Roughly, all OP's questions are about how to verify things are correct despite the fact that we do any old how, instead of thinking to make things so that they cannot be otherwise than correct (but as he said this is just a philosophical point of view).
And you definitely don't want to be in that situation.
Guess my point is that there are multiple ways to handle access but the bottom line is you don't want to be in a situation where you aren't sure you can trust the people with the access you've granted them. At that point you need to either restrict access or put in place some other process to handle it.
|
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689687 is a reply to message #689678] |
Wed, 20 March 2024 02:44 |
|
Michel Cadot
Messages: 68647
Registered: March 2007
Location: Nanterre, France, http://...
|
Senior Member
Account Moderator |
|
|
Darth Waiter wrote on Mon, 18 March 2024 13:27Oh.
You still think of me as of a dev or DBA who makes decisions to create or not create objects, read/understand/run or not to read/understand/run scripts, etc, even though I never indicated that.
You should not try to follow or investigate me because I come here with isolated, technical questions that have no connections between them unless I indicate that one flows from the other.
Those who may have created such objects are neither myself or my coworkers: they are hypothetical past or present DBAs or devs who make their own decisions, however right or wrong, good or bad, and I only have to account for any possibility. That is as much as I am allowed to say.
No, I don't.
I just noticed that your questions contain "in MS SQL we can do that" or "in MS SQL we cannot do that" and try to mimic the same behavior in Oracle, so I look things from a higher point of view trying to show that searching technical solutions for organization problems is not the good way and, for some issues, may be workaround to .
I already asked you what is your purpose which would allow to answer in a more specific and accurate way.
Now, technically, if you want to know who create some objects in some schemes you can activate either traditional audit or create an audit policy.
If you want to forbid some creations from some users despite the fact they have been granted the privileges to do so, you can create a DDL trigger (which also allows you to log these actions).
Of course, if the user has DBA privileges he/she may deactivate these ones and/or delete audit information.
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689688 is a reply to message #689687] |
Wed, 20 March 2024 08:02 |
|
Darth Waiter
Messages: 78
Registered: October 2020
|
Member |
|
|
I do not try to mimic any behaviors, because like I explained, I have to account for possible past or future actions of arbitrary database owners. I do not have control over their possible actions and decisions. I must react to whatever actions they may have taken or may take in the future, whoever they are, wherever they are, and I do not care who did what, how, or why. This is not about me working on a particular instance that is under some degree of control of mine or my coworkers'. I do not care about reasoning why tables may have been created under SYS or whatever Oracle's schemas, or whether that is good or bad, sane or insane.
You are still trying to track my past and present questions and investigate me, which will lead nowhere.
The only purpose of this particular question is to find a way to filter out Oracle's OOB tables from queries. I established that it is not possible to do so by looking at schemas in which they might exist. Thus the question: is there any other way? Like I said, in MS SQL it is straightforward: I do not look at SYS or INFORMATION_SCHEMA, and that will suffice. Not so straightforward under Oracle.
|
|
|
|
|
|
|
|
|
|
| Re: Do users ever create tables in these schemas? [message #689695 is a reply to message #689694] |
Wed, 20 March 2024 12:22 |
cookiemonster
Messages: 13920
Registered: September 2008
Location: Rainy Manchester
|
Senior Member |
|
|
The only way you could possibly tell for certain is to create your own list of what should be in each oracle supplied schema for each release/patch version.
Building such a list, given that the contents could be changed by a patch, is an epic task.
Oracle's approach to sys and their other schemas is that people shouldn't be messing with them and if people do that's the peoples problem not oracles.
Oracle's approach isn't going to change either.
If you're working for a company that insists that people messing with oracle schemas is *your* problem then if I was you I'd start looking for another job. The *vast* majority of companies that work with oracle actually lock these things down.
|
|
|
|
Goto Forum:
Current Time: Sat Apr 27 15:32:20 CDT 2024
|
] 
Blog
Search
Help
Members
Register
Login
Home
