Re: PUBLIC privileges on XDB$ACL
Date: Thu, 19 Jul 2012 17:08:36 +0100
> Indeed. That line is there in 10.2 as well. In 11.2 there's a comment
> removing the privilege
> *Rem sidicula 01/13/07 - Restrict privileges on ACL tab*
From what I can gather from everyone's responses 10gR1 (and 9x etc) grants *all* whereas 10gR2 grants only select, insert, update and delete. The difference is small but important. As an advisory to anyone with the INDEX privilege still in place on this table for PUBLIC I'd recommend revoking it - this opens a hole that allows people to run PL/SQL code with XDB privileges. This could pose a problem to some installations as XDB can execute DBMS_RLS and therefore an attacker could effectively disable any virtual private databases on the server.