Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Why is Oracle letting me do this? Security issue?

Re: Why is Oracle letting me do this? Security issue?

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Tue, 20 Apr 1999 20:18:33 +0100
Message-ID: <924636536.1873.0.nnrp-04.9e984b29@news.demon.co.uk>


You could/should look at this the other way round:

First: you only know that your insert into table A is causing an insert into table B because you are a privileged user. If you had only the privilege to insert into A you could not discover that a side-effect of inserting into A was that a consequential insert into B took place.

Secondly: by ensuring that any action you take on data in table A results in an insert into table B the application developer can ensure that an audit trail is kept of any action you take __without your knowledge__ This makes it a security feature, not a security loophole.

--

Jonathan Lewis
Yet another Oracle-related web site: www.jlcomp.demon.co.uk

>PMG wrote:
>
>> I'd love to find out what the official term for this, and the
justification for
>> it. It seems to be a loophole in security, since I can indirectly modify
a table
>> that I do not have direct permissions assigned.
>>
>> Pete
>
>> Andrew Babb wrote:
>>
>> > Hi,
>> >
>> > I think you will find that the trigger fires as the owner, and not as
the
>> > person performing the initial insert. Therefore, it is the schema of
table A
>> > performing the insert into table B, not User X performing the insert
into
>> > table B.
Received on Tue Apr 20 1999 - 14:18:33 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US