Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?

RE: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Mon, 29 Oct 2007 17:02:48 -0400
Message-ID: <D1DC33E67722D54A93F05F702C99E2A901889C7D@usahm208.amer.corp.eds.com> 





Security.  By default on the owner and DBA's can see trigger (and also
package body) source.
 


Triggers are often used for auditing.  If you can see what the trigger
does then you can write the DML to remove the generated trail.
 


There are ways to provide access to source code without granting DBA or
ANY privileges.  For developers we provide a modified version of the
user_source view that we then grant select on.







        From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Charles Schultz

	Sent: Monday, October 29, 2007 2:01 PM
	To: oracle-l
	Subject: all_objects: anyone know why Oracle decided to only


make triggers viewable with "CREATE ANY TRIGGER" system priv?
        
        


        While trying to figure out how to give our data modelers access
to read any object, we came across this little caveat where they need
"CREATE ANY TRIGGER" to see triggers in all_objects. Ironically, we can
grant them "SELECT ANY DICTIONARY" and they can find the triggers from
dba_objects, but since they are using a canned app that hardcodes
all_objects, that was not happening. 
        


        But, why would you have to have a relatively powerful system
privilege just to see triggers? The relevant part of all_objects is:

	    or
	    (
	       o.type# in (12) /* trigger */
	       and
	       exists (select null from v$enabledprivs 
	               where priv_number in (
	                                      -152 /* CREATE ANY TRIGGER
*/
	                                    )
	              )
	    )
	
	
	What about priv_number 237 (SELECT ANY DICTIONARY)? Or any other


innocuous priv? 
        


        In doing some research, I came across David Litchfield's paper
on security:
        


http://securityvulns.com/files/ohh-indirect-privilege-escalation.pdf 
        

	Also, Pete Finigans:
	http://www.pentest.co.uk/documents/oracle-security.htm
	
	I appreciated Alex Gorbachev's take on the fiasco with SYS and


authid as well: 
        


http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sys
dba-security-hole
        


        I am sure the issue with all_objects has been addressed, but
googling for specific information is like finding a needle in a
haystack. 
        

	-- 
	Charles Schultz 





--
http://www.freelists.org/webpage/oracle-l


Received on Mon Oct 29 2007 - 16:02:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US