RE: granting sys objects with grant option in 11.2.0.3 the grant option has no effect

From: Michael Dinh <mdinh_at_XIFIN.Com>
Date: Tue, 21 Feb 2012 08:44:34 -0800
Message-ID: <D29F9902E534D5478F2E83FD6A44B30649BF83CAC9_at_mail02.mba.xifin.com>

Were you connected as SYS when executing - grant execute on dbms_output to ttt_user with grant option; ??? Michael Dinh
Disparity Breaks Automation (DBA)

Great minds discuss ideas; average minds discuss events; small minds discuss people - Eleanor Roosevelt Confidence comes not from always being right but from not fearing to be wrong - Peter T Mcintyre

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Kurt-Franke_at_web.de Sent: Tuesday, February 21, 2012 6:31 AM To: oracle-l
Cc: Kurt.Franke_at_cellent-fs.de; Ronald.Stiefel_at_cellent-fs.de Subject: FW: granting sys objects with grant option in 11.2.0.3 the grant option has no effect

next try, hoping the formatting information is no longer lost

Hello all,

I detected a problem as described by testcase: (tested in following Installations)

Linux x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

Microsoft Windows x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

Linux IA (32-bit) - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production

The problem did not occure on 11.2.0.2 or previous

Testcase:

create user ttt_user identified by asdfghjk;

grant create session to ttt_user;

grant execute on dbms_output to ttt_user with grant option;

create user ttt2_user identified by asdfghjk;

connect ttt_user/asdfghjk

execute privilege is there exec dbms_output.enable
but grant option is missed grant execute on sys.dbms_output to ttt2_user; * ERROR at line 1: ORA-01031: insufficient privileges

This problem did not occure with select privilege on a sys table. It also did not occure with execute privilege on a user package.

We use this feature for a special admin user in a software system with tenant isolation where the isolation is done by using separate databse schemas for each tenant. The admin user is there to create new tenants (a very complex installation proedure) and need to grant a couple of execute privileges on sys pacakges.

Does anyone heard of this problem ?

Is there any mechanism to fall back to previous fucntrional behaviour - i. e. seting a hidden parameter, setting a special event etc. ?

(I`m argueing the ignoring of the grant option with execute privilege on sys objects is a work around due to a security problem occured later)

TIA kf

--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Tue Feb 21 2012 - 10:44:34 CST

This message: [ Message body ]
Next message: Michael Dinh: "RE: granting sys objects with grant option in 11.2.0.3 the grant option has no effect"
Previous message: Kurt-Franke_at_web.de: "Re: granting sys objects with grant option in 11.2.0.3 the grant option has no effect"
In reply to: Kurt-Franke_at_web.de: "FW: granting sys objects with grant option in 11.2.0.3 the grant option has no effect"
Next in thread: Kurt-Franke_at_web.de: "Re: granting sys objects with grant option in 11.2.0.3 the grant option has no effect"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message