Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Possible SECURITY ERROR ?
A copy of this was sent to Isaac Chocron <Itshak_at_hadassah.org.il>
(if that email address didn't require changing)
On Sun, 24 Jan 1999 14:55:07 +0200, you wrote:
>I have an Oracle 8.04. server on NT.
>
>Everyone can explain me if it is true or is a terrible bug ?
>
its not a bug, USER_A is a DBA or has had the "ALTER USER" priv granted to them.
When you issue:
SQL> grant <system priv|role> to user
you can also change their password by going:
SQL> grant <system priv|role> to user IDENTIFIED BY <newpassword>
it's not the password of the ROLE but the password of the user. As user_a, try this:
SQL> alter user user_b identified by new_password;
If it works, user_a has the alter user priv and is in fact supposed to be able to change anyones password.
>I have two schemas: User_a User_b
>Their passwords are: Pass_a Pass_b
>
>User_a has the system privilege:Grant Any Role.
>
>User_a has created a role with this statement:
> Create role Role_a identified by Test;
>
>User_a has performed this statement:
> Grant Role_a to User_b identified by test;
>
>The result is ...
> The password of User_b is Test !!! and not Pass_b.
>
>So User_a has the possibility of change the password of any schema !!!
I bet User_a always had that priv (as a result of having DBA perhaps). Try this test in your database (replace tkyte/tkyte with some DBA user/pass)
SQL> connect tkyte/tkyte
Connected.
SQL> drop user user_a cascade;
User dropped.
SQL> drop user user_b cascade;
User dropped.
SQL> drop role role_a;
Role dropped.
SQL> create user user_a identified by pass_a; User created.
SQL> create user user_b identified by pass_b; User created.
SQL> grant create session, create role, grant any role to user_a; Grant succeeded.
SQL> grant create session to user_b;
Grant succeeded.
SQL> connect user_a/pass_a
Connected.
SQL> create role role_a identified by test; Role created.
SQL> grant role_a to user_b identified by test;
grant role_a to user_b identified by test
*
ERROR at line 1:
ORA-01031: insufficient privileges
REM -- See, you cannot change user_b's password here -- you do not REM -- have ALTER USER
SQL> connect user_b/pass_b
Connected.
SQL> connect user_b/test
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
REM -- lets try again, this time user_a will have the ALTER USER priv
SQL> connect tkyte/tkyte
Connected.
SQL> drop user user_a cascade;
User dropped.
SQL> drop user user_b cascade;
User dropped.
SQL> drop role role_a;
Role dropped.
SQL> create user user_a identified by pass_a; User created.
SQL> create user user_b identified by pass_b; User created.
SQL> grant create session, create role, grant any role to user_a; Grant succeeded.
SQL> grant alter user to user_a;
Grant succeeded.
SQL> grant create session to user_b;
Grant succeeded.
SQL> connect user_a/pass_a
Connected.
SQL> create role role_a identified by test; Role created.
SQL> grant role_a to user_b identified by test; Grant succeeded.
REM -- this time the grant ... identified by ... works cause REM -- user_a has alter user
SQL> connect user_b/pass_b
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> connect user_b/test
Connected.
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Service Industries
Reston, VA USA
--
http://govt.us.oracle.com/ -- downloadable utilities
Anti-Anti Spam Msg: if you want an answer emailed to you, you have to make it easy to get email to you. Any bounced email will be treated the same way i treat SPAM-- I delete it. Received on Sun Jan 24 1999 - 09:54:21 CST