Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Is Statspack a Security Problem?

RE: Is Statspack a Security Problem?

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Wed, 24 Jul 2002 12:20:24 -0800
Message-ID: <F001.004A1781.20020724122024@fatcity.com> 





I'm  not saying it's not fixable.  The creation of dba level accounts such as dbsnmp and outln by Oracle is fixable as well.  But I'll wager there are folks out there who didn't know the grants  on the statspack tables were to public.
 


Of course none of our developers or ad hoc query writers would ever write a statement that doesn't use bind  variables.   I have it on  good authority that the same holds true for all Oracle sites everywhere. :)
 


Ian MacGregor


Stanford Linear Acclerator Center


ian_at_SLAC.Stanford.edu <mailto:ian_at_SLAC.Stanford.edu> 



-----Original Message-----


Sent: Wednesday, July 24, 2002 11:56 AM


To: Multiple recipients of list ORACLE-L




Why not just backup the spctab.sql script and then in vi do a g:/PUBLIC/s//DBA or whatever 
role you choose to play with statspack before running.  Although bind vars are still 
appropriate too. 



Rodd Holman 



On Wed, 2002-07-24 at 12:23, kkennedy wrote: 



Sounds like yet another good reason for using bind variables 8-)



Kevin Kennedy



First Point Energy Corporation 





-----Original Message-----



Sent: Wednesday, July 24, 2002 8:23 AM



To: Multiple recipients of list ORACLE-L







To wit:



$grep -i grant spctab.sql



<snip>



grant select on        STATS$SQLTEXT  to  PUBLIC;



grant select on        STATS$SQL_STATISTICS  to  PUBLIC;



grant select on        STATS$LEVEL_DESCRIPTION   to  PUBLIC;



grant select on        STATS$IDLE_EVENT   to  PUBLIC;



grant select on        STATS$PARAMETER  to  PUBLIC;



grant select on        STATS$STATSPACK_PARAMETER  to  PUBLIC;






Notice the grants on stats$sqltext and stats$sql_summary.  Should anyone who logs into the database be able to see nearly SQL run against it.  Oracle  appears to truncate alter user statements so that one cannot find 'alter user blatz identified by password;'  but one may stumble on  update sal_table



set sal = 100 where empoyee_id = 5;'  or something to that effect.





Ian MacGregor



Stanford Linear Accelerator Center



ian_at_SLAC.Stanford.edu




-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: MacGregor, Ian A.


  INET: ian_at_SLAC.Stanford.EDU


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Jul 24 2002 - 15:20:24 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US