Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.tools -> Re: PL/SQL Execute permissions

Re: PL/SQL Execute permissions

From: Connor McDonald <connor_mcdonald_at_yahoo.com>
Date: 2000/06/09
Message-ID: <3940FDB2.CF5@yahoo.com>#1/1 






Thomas J. Kyte wrote:


> 

> In article <393FA534.BC47351D_at_Unforgetable.com>,

>   Walter T Rejuney <BlueSax_at_Unforgetable.com> wrote:

> > Why do users have the ability to use DBMS_OUTPUT without any DBA

> > intervention, but if they try to use DBMS_SYSTEM they don't have

> > permission to execute it until the DBA gives explicit permission. I

 know


> > there must be other procedures that are like this but this is one

 that I


> > recently ran into.

> >

> 

> dbms_output = harmless package that everyone needs.  no inherit

> security risks in everyone having at it.  very safe.  very useful.

> 

> dbms_system = undocumented package.  Full of things I don't want my

> typical user doing.  Like turning on trace in someone elses session.

> Like setting events in their session.  Like writing nastygrams into my

> alert.log

> 

> You'll find the packages granted to public are "safe", "harmless"

> packages.  Packages not granted to public (eg: dbms_pipe) can do things

> that are "bad" in the wrong hands.  With dbms_pipe for example -- if

> you wrote a program to listen on a pipe and write procedures to put

> messages into that pipe and granted execute on those procedures

> to "sue".... think about what could happen if public had execute on

> dbms_pipe and "bob" wanted to talk to your pipe server -- he could try

> to get access to YOUR procedure (but he can't, you won't give it to

> him) or he could use dbms_pipe to talk directly to your pipe server and

> you would never know the difference.

> 

> --

> Thomas Kyte (tkyte_at_us.oracle.com) Oracle Service Industries

> Howtos and such: http://osi.oracle.com/~tkyte/index.html

> Oracle Magazine: http://www.oracle.com/oramag

> Opinions are mine and do not necessarily reflect those of Oracle Corp

> 

> Sent via Deja.com http://www.deja.com/

> Before you buy.




Thomas - is there any doco (offical or otherwise) about DBMS_SYSTEM. 
Naturally you can see the public parts of the package (SET_EV etc etc)
but actually knowing what each proc does has always been somewhat
guesswork for me...



Connor

-- 
===========================================
Connor McDonald
http://www.oracledba.co.uk

We are born naked, wet and hungry...then things get worse


Received on Fri Jun 09 2000 - 00:00:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US