Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Why is Oracle letting me do this? Security issue?

Re: Why is Oracle letting me do this? Security issue?

From: Andrew Babb <andrewb_at_mail.com>
Date: Fri, 09 Apr 1999 17:17:48 +0800
Message-ID: <370DC5BC.856C4DAE@mail.com> 





Hi,



I think you will find that the trigger fires as the owner, and not as the
person performing the initial insert. Therefore, it is the schema of table A
performing the insert into table B, not User X performing the insert into
table B.



Oracle does have an official term for this, which someone might be able to
provide, but I cannot remember immediately.



Rgds


Andrew




PMG wrote:



> Step 1. I have created two tables, A and B.


> Step 2. I create some trigger on A which fires after insert or update on


> A and writes something to B.


> Step 3. I grant select, insert, update on table A to user X.


> Step 4. I grant select only on table B to user X.


>


> Now, when user X does an insert or an update on table A, the trigger


> fires and something gets written to table B. Even though no permission


> has been granted to user X for inserting or updating on table B.


>


> It appears that triggers bypass the permission checks on a table. Unless


> I am missing something, this is a potentially dangerous situation, since


> there is nothing to prevent a user from accessing table B using this


> technique.



Received on Fri Apr 09 1999 - 04:17:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US