Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Why is Oracle letting me do this? Security issue?

Why is Oracle letting me do this? Security issue?

From: PMG <pete_g_at_2xtreme.net>
Date: Fri, 09 Apr 1999 05:27:53 GMT
Message-ID: <370D8F51.9272FD2A@2xtreme.net> 





Step 1. I have created two tables, A and B.
Step 2. I create some trigger on A which fires after insert or update on
A and writes something to B.


Step 3. I grant select, insert, update on table A to user X.
Step 4. I grant select only on table B to user X.



Now, when user X does an insert or an update on table A, the trigger
fires and something gets written to table B. Even though no permission
has been granted to user X for inserting or updating on table B.



It appears that triggers bypass the permission checks on a table. Unless
I am missing something, this is a potentially dangerous situation, since
there is nothing to prevent a user from accessing table B using this
technique.

Received on Fri Apr 09 1999 - 00:27:53 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US