Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Is Statspack a Security Problem?

RE: Is Statspack a Security Problem?

From: Rodd Holman <roddholman_at_hotpop.com>
Date: Wed, 24 Jul 2002 10:55:44 -0800
Message-ID: <F001.004A1435.20020724105544@fatcity.com> 





Why not just backup the spctab.sql script and then in vi do a
g:/PUBLIC/s//DBA or whatever


role you choose to play with statspack before running.  Although bind
vars are still


appropriate too.



Rodd Holman



On Wed, 2002-07-24 at 12:23, kkennedy wrote:



    Sounds like yet another good reason for using bind variables 8-)
    Kevin Kennedy


    First Point Energy Corporation 
    


    -----Original Message-----


    Sent: Wednesday, July 24, 2002 8:23 AM
    To: Multiple recipients of list ORACLE-L
    
    


    To wit:


    $grep -i grant spctab.sql


    <snip>

    grant select on        STATS$SQLTEXT  to  PUBLIC;
    grant select on        STATS$SQL_STATISTICS  to  PUBLIC;
    grant select on        STATS$LEVEL_DESCRIPTION   to  PUBLIC;
    grant select on        STATS$IDLE_EVENT   to  PUBLIC;
    grant select on        STATS$PARAMETER  to  PUBLIC;
    grant select on        STATS$STATSPACK_PARAMETER  to  PUBLIC;
    -----------------------------------------------------------------------------------------------


    Notice the grants on stats$sqltext and stats$sql_summary.  Should anyone who logs into the database be able to see nearly SQL run against it.  Oracle  appears to truncate alter user statements so that one cannot find 'alter user blatz identified by password;'  but one may stumble on  update sal_table
    set sal = 100 where empoyee_id = 5;'  or something to that effect.
    


    Ian MacGregor


    Stanford Linear Accelerator Center


    ian_at_SLAC.Stanford.edu







-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Rodd Holman


  INET: roddholman_at_HotPOP.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Jul 24 2002 - 13:55:44 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US