Re: Private Synonyms

From: Jared Still <jkstill_at_gmail.com>
Date: Fri, 20 Dec 2013 10:57:49 -0800
Message-ID: <CAORjz=O_TkEK_S0r=GidDPuU6=Gz65X0UgGRqS1fWvoQOh756g_at_mail.gmail.com>

What Niall said
On Dec 12, 2013 3:15 AM, "Niall Litchfield" <niall.litchfield_at_gmail.com> wrote:

> There isn't a security breach in the sense that User 2 gets access to data
> that they didn't already have access to. It is however somewhat
> counter-intuitive that you can run
>
> CREATE PRIVATE SYNONYM x for SCHEMA.OBJECT;
>
> and that someone else can utilize your synonym without explicit grants.
> Doing so is somewhat daft of course..
>
>
> On Thu, Dec 12, 2013 at 8:49 AM, D'Hooge Freek <Freek.DHooge_at_uptime.be>wrote:
>
>> Hi,
>>
>> Why would that be fishy?
>> user2 has received access on the underlying object, to which the private
>> synonym points, directly from scott.
>> So, no security breach.
>>
>>
>> regards,
>>
>> --
>> Freek D'Hooge
>> Uptime
>> Oracle Database Administrator
>> email: freek.dhooge_at_uptime.be
>> tel +32(03) 451 23 82
>> http://www.uptime.be
>> disclaimer: www.uptime.be/disclaimer.html
>>
>>
>>
>>
>> On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote:
>>
>> All,
>>
>> Is there anyone other than myself that doesn't think this is right.
>> For those of you who have missed it, like I did, when Oracle started
>> evolving Fine Grained Access Controls (FGA) the role of private synonyms
>> changed. Try this for starters and I'll make it easy:
>>
>> 1) install the scott account, we'll need emp.
>> 2) create another account, any name you like, I'll use user1.
>> 3) create a third account, I'll call it user2.
>> 4) as scott grant select on emp to user1.
>> 5) as scott grant select on emp to user2.
>> 6) as user1 create a private synonym to scott.emp
>> 7) as user2 "select * from user1.emp;"
>>
>> If you go back to a V8 database step 7 above will end in an ORA-00942.
>> If your on V9 or higher, you get data.
>>
>> Does this sound fishy??? I've opened an itar with Oracle. They
>> referenced note:174368.1 Policies on Synonyms. But this just seems wrong
>> to me. Any other opinion???
>>
>>
>> Dick Goulet
>> Senior Oracle DBA.
>>
>>
>
>
> --
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Dec 20 2013 - 19:57:49 CET

This message: [ Message body ]
Next message: Mark Bobak: "Re: OT: Laptop Memory of "Oracle Lab" -- 16gb support "good enough"?"
Previous message: Jared Still: "Re: Why I don't like RMAN repositories"
In reply to: Niall Litchfield: "Re: Private Synonyms"
Next in thread: oracle_at_ukcert.org.uk: "RE: Private Synonyms"
Reply: oracle_at_ukcert.org.uk: "RE: Private Synonyms"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message