Re: PUBLIC privileges on XDB$ACL

From: <david_at_databasesecurity.com>
Date: Thu, 19 Jul 2012 17:08:36 +0100
Message-ID: <4690487D5F8E46EB8F1F9C9DB2A2BDC4_at_NAUTILUS>

Hey all,

> Indeed. That line is there in 10.2 as well. In 11.2 there's a comment
> about
> removing the privilege
> *Rem sidicula 01/13/07 - Restrict privileges on ACL tab*

From what I can gather from everyone's responses 10gR1 (and 9x etc) grants *all* whereas 10gR2 grants only select, insert, update and delete. The difference is small but important. As an advisory to anyone with the INDEX privilege still in place on this table for PUBLIC I'd recommend revoking it - this opens a hole that allows people to run PL/SQL code with XDB privileges. This could pose a problem to some installations as XDB can execute DBMS_RLS and therefore an attacker could effectively disable any virtual private databases on the server.

Cheers,
David

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jul 19 2012 - 11:08:36 CDT

This message: [ Message body ]
Next message: Michael Dinh: "Re: RMAN catalog question"
Previous message: Peter Sharman: "RE: EM 12c Agent Install - Windows"
In reply to: Niall Litchfield: "Re: PUBLIC privileges on XDB$ACL"
Next in thread: Rich Jesse: "Re: PUBLIC privileges on XDB$ACL"
Reply: Rich Jesse: "Re: PUBLIC privileges on XDB$ACL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message