Re: ODBC Bypassing Oracle's Security :-(

> When I used ODBC32 and MsAccess '95, I find that I can update the
>owner's tables directly, and via the synonyms I created. Again, the key
>word is UPDATE. I wanted read-only access.
>
> I've already tried adding a entries into PRODUCT_USER_PROFILE
>disabling updates and ODBC but that didn't resolve the issue. We are
>using Oracle7 32 bit ODBC driver (production) 2.5.3.1.0B .
>

ODBC works using SQL*Net connectivity to Oracle database. It allows you to perform such actions that are permitted in other Oracle sessions such as in SQL*Plus, for example and not other.
It _does not_ add any rights and privileges. So I would connect to Oracle via SQL*Plus using account identical as in ODBC and try to perform the same actions. If they succeed, it means you have given too wide grants.

Other possibility (sometimes it happens): If you connect to Oracle via ODBC (and SQL*Net) without supplying the password, it means that operating system user verification was performed by Oracle DB. For example -- if you have created user AAA, and in the DB there exists user OPS$AAA and you connect to DB without supplying the password, there is in fact a OPS$AAA user session. In first while it looks, that ODBC ommits the user verification.

So check object permissions and the possibility of connecting as OPS$AAA instead of AAA user.

HTH, Piotr
pkol_at_otago.gda.pl Received on Tue Mar 17 1998 - 00:00:00 CST