Re: Oracle Stored Procedure Security

In article <33D14EFD.3606_at_diac.com> Pete Petersen <morph_at_diac.com> writes:
>From: Pete Petersen <morph_at_diac.com>
>Subject: Oracle Stored Procedure Security
>Date: Sat, 19 Jul 1997 17:34:21 -0600
 

>Hypothetical Situation:
 

>User "superuser" creates a stored procedure called "update_customers"
>that performs an update on table "customer_master_file". "Superuser"
>owns the "customer_master_file" table and therefore has full object
>privileges on this table
 

>User "enduser" has been given execute access on the "update_customers"
>stored procedure, however, "enduser" does not have UPDATE privileges on
>the "customer_master_file" table.
 

>Query:
 

>Will "enduser" be able to update the "customer_master_file" when running
>the "update_customers" stored procedure OR will the update fail since
>"enduser" doesn't have update privileges on the table.

Stored procedures run with the privileges of the owner. If the owner of the procedure can update the table, anybody with execute on the stored procedure will be able to update the table (through the procedure.)

>What do YOU think.

It takes all of 5 minutes or so to experimentally verify this; however, this topic seems to fall into the category of "who you gonna believe, me or your lying eyes." I actually had someone hired as an Oracle DBA argue about this; even showing him the manual page and a working example didn't quite convince him. So try it and see, then you won't have to worry about what someone _thinks_. You'll know.

Rick Brown
rick_at_onramp.net Received on Sun Jul 20 1997 - 00:00:00 CDT