Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Database Vendors Shouldn't Kill the Messenger"] [Next entry: "Joshua Wright has provided a free tool to check Oracle accounts for common passwords"]

10gR2 the CONNECT role has finally been sanitized

I saw on Nialls blog yesterday in an entry titled "Connected Thinking" that the CONNECT role has finally been corrected by Oracle to do what it says on the tin - i.e. simply allow a user granted it to connect. That's right it now only has the system privilege CREATE SESSION. This is a welcome change and as Niall points out it will break a lot of existing third party and home grown applications when they are connected to 10gr2.

I (and a lot of others) have been suggesting this change for years and finally Oracle has listened to us all. Letís hope that they now do something about the RESOURCE role as well. It was rumoured that the CONNECT and RESOURCE roles had been deprecated and would be removed although I have never found this in writing.

The fact that CONNECT now only has the CREATE SESSION privilege would imply that Oracle have done a lot of testing with all of the default and example accounts that ion the past have been granted this role. Do these examples now work? - Only time will tell.

If you have previously used the CONNECT role then now is the time to start and look at the real privileges your applications need and to correct them.