danger

27 Oct Why granting the DBA role is a really bad idea!

Posted at 12:33h in Oracle, Security by

Just like other user accounts, database users can get certain roles granted. Those roles define what they can do and what they can see. Best practice from a security perspective is the “Principle of Least Privilege” (also known as PoLP), granting only specific privileges the user really needs.

To make it easier to manage, Oracle has some pre-defined roles within the database which can be granted to users. One of those roles is the DBA role, containing a lot of privileges which should only be granted to the Database Administrator.

Defining the right privileges can be time consuming as it can change by time (new application features, new job role of the user, etc…). That’s one of the reasons why Oracle users are often just granted the DBA role. This way everything works as it should from a user’s perspective, and there’s no need to grant or revoke privileges after application changes/updates.

However, one should be aware of the danger granting the DBA roles to users (non-exhaustive list):

  • When several or all users are granted the DBA role, hackers have more accounts to exploit, increasing the risk for data breaches;
  • Users with the DBA role cannot only see their own data, but they can see ALL data within the database. Except for a privacy discussion, users/developers can also accidentally delete/modify other data;
  • Last but not least, having the DBA role gives you the possibility to perform tasks which should be left in the hands of Database Administrators (DBA’s), like creating/deleting/blocking users, granting privileges to other users, create new or drop existing tables and indexes, etc…

 

Next to the bullets listed, the Oracle Patch Update of OCT 2020 shows how also a bug can help hackers to exploit users with the “DBA” role (see https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixDB):

The vulnerability exists due to a boundary error within the BZ2_decompress() function in decompress.c. A remote attacker can create a specially crafted archive, tricking the victim into opening it using the affected library, trigger out-of-bounds write and execute arbitrary code on the system.

What’s the difference between the DBA role and the SYSDBA system privilege?

The SYSDBA system privilege is the most powerfull administrative privilege to give to a user. With this system privilege the user can also start/stop a database and in worst case even remove the database. This role is also able to create a new spfile, change the archivelog-mode and allows the user to recover the database. Give this privilege only to the ones needed, or just leave it granted to the SYS user (which off-course has a complex password and is audited very precisely).

How can we find users with the DBA role?

After you’ve read the first sections, it should now be clear that giving the DBA role to the wrong users can be very very dangerous. You’ll now probably ask yourself how can we find which users already have this role in the database. Here is a query which will list all the users with the DBA role on your system:

 

select grantee from dba_role_privs where granted_role=’DBA’ and grantee not in (‘SYS’,’SYSTEM’) order by 1;

 

Now that you’ve got the list of all the users with the DBA role, you can start by listing the necessary privileges for each user. To make your life easy in this case, Oracle introduced the “Capture privilige” feature. This feature allows to capture real-time privileges and roles that were actually used on the system. You can then revoke unused grants and other changes to better reflect the access a user requires. Until Oracle 19c this functionality was part of the Oracle Database Vault option, so it should be only used with the appropriate license. From 19c onward this feature is now part of the Enterprise Edition and comes without the need of having a license for this option. Standard Edition users will need to user other techniques to find the necessary privileges.

Having troubles listing users with DBA role on your system? Want some help finding the necessary privileges? Need some help with the setup of the Oracle Capture Privilege feature? Our experts are here to help you. Want to go a step further and know how to increase security on your system? Our security assessment will provide you insights in what you could do better on database level.

Interested? Just ask us for help via phone: +32 3 450 67 89 or via e-mail: info@monin-it.be

Some interesting links: