Re: Private Synonyms

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Thu, 12 Dec 2013 11:13:24 +0000
Message-ID: <CABe10sYxe_eRH=vPocj-wkthVGy-wWBgEQomgM33nYeZy55obA_at_mail.gmail.com>

There isn't a security breach in the sense that User 2 gets access to data that they didn't already have access to. It is however somewhat counter-intuitive that you can run

CREATE PRIVATE SYNONYM x for SCHEMA.OBJECT;

and that someone else can utilize your synonym without explicit grants. Doing so is somewhat daft of course..

On Thu, Dec 12, 2013 at 8:49 AM, D'Hooge Freek <Freek.DHooge_at_uptime.be>wrote:

> Hi,
>
> Why would that be fishy?
> user2 has received access on the underlying object, to which the private
> synonym points, directly from scott.
> So, no security breach.
>
>
> regards,
>
> --
> Freek D'Hooge
> Uptime
> Oracle Database Administrator
> email: freek.dhooge_at_uptime.be
> tel +32(03) 451 23 82
> http://www.uptime.be
> disclaimer: www.uptime.be/disclaimer.html
>
>
>
>
> On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote:
>
> All,
>
> Is there anyone other than myself that doesn't think this is right.
> For those of you who have missed it, like I did, when Oracle started
> evolving Fine Grained Access Controls (FGA) the role of private synonyms
> changed. Try this for starters and I'll make it easy:
>
> 1) install the scott account, we'll need emp.
> 2) create another account, any name you like, I'll use user1.
> 3) create a third account, I'll call it user2.
> 4) as scott grant select on emp to user1.
> 5) as scott grant select on emp to user2.
> 6) as user1 create a private synonym to scott.emp
> 7) as user2 "select * from user1.emp;"
>
> If you go back to a V8 database step 7 above will end in an ORA-00942. If
> your on V9 or higher, you get data.
>
> Does this sound fishy??? I've opened an itar with Oracle. They
> referenced note:174368.1 Policies on Synonyms. But this just seems wrong
> to me. Any other opinion???
>
>
> Dick Goulet
> Senior Oracle DBA.
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Dec 12 2013 - 12:13:24 CET

This message: [ Message body ]
Next message: John Hallas: "RE: Enetrprise Manager CPU Sampling and Mesurement"
Previous message: Nagaraj S: "Re: ASM DISKGROUP INFORMATION"
In reply to: D'Hooge Freek: "Re: Private Synonyms"
Next in thread: Patterson, Joel: "RE: Private Synonyms"
Reply: Patterson, Joel: "RE: Private Synonyms"
Reply: Jared Still: "Re: Private Synonyms"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message