Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: [Q] "execute any procedure" security risk?

Re: [Q] "execute any procedure" security risk?

From: Tanel Põder <tanel.poder.003_at_mail.ee>
Date: Wed, 2 Mar 2005 22:57:41 -0000
Message-ID: <047301c51f7b$3d5de7d0$0301a8c0@porgand>


Hi,

Execute any procedure means total control over the database and also operating system at least as much as the OS user running Oracle has privileges.

For example DBMS_SYS_SQL.PARSE_AS_USER procedure allows you execute SQL as any DB user, DBMS_BACKUP_RESTORE and DBMS_FILE_TRANSFER (in 10g) allow you to to overwrite any file in OS, including executables, shared libraries and config files, you could for example copy sqlplus binary somewhere else and replace it with a wrapper which does "your thing" and then runs sqlplus without user even noticing it etc...

So, why not grant the user SYSDBA instead and save the trouble, crackers need to sleep too.

Tanel.

>I checked ORACLE database we have on 9ir2. I found
> several users have "execute any procedure" right. Can
> anyone tell me what kind of security risk for "execute
> any procedure"?
>
> If I already grant "select_catalog_role" and
> "execute_catalog_role", do I need grant "execute any
> procedure" privilege?
>
> Thanks.
>
>
>
>
> __________________________________
> Celebrate Yahoo!'s 10th Birthday!
> Yahoo! Netrospective: 100 Moments of the Web
> http://birthday.yahoo.com/netrospective/
> --
> http://www.freelists.org/webpage/oracle-l

--
http://www.freelists.org/webpage/oracle-l
Received on Wed Mar 02 2005 - 18:01:07 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US