| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Discovered way to grant/revoke any right from any user!
Wow...
Is that a security loophole or is that a security loophole! There are
instances where this is very useful. In my current situation I'm a
functional dba and the real techies are a bit reluctant to provide
sufficient privilege permanently. I sympathize with them, I have always
avoided to use the with admin option, I know this is a way to loose control.
Two questions come to mind:
I have seen a privilege called 'become user'. Yet I didn't see any command
to accomplish that (except during imp of course). This seems to me a more
legitimate way to address this. On some operating systems (Vax/VMS, Unix)
this is working well. Does a similar command exist or is it in the 'next
version'?
The second question is quite obvious, and it is probably a feature request:
couldn't we make sure Oracle closes this loophole in the near future.
Best regards,
Sybrand Bakker, Oracle DBA
Thomas Kyte wrote in message <371a1585.9435998_at_192.86.155.100>...
>A copy of this was sent to "Viewer" <bmotzer_at_spacestar.com>
>(if that email address didn't require changing)
>On Thu, 15 Apr 1999 23:11:53 -0500, you wrote:
>
[more snip]
[snip]
>
>the import trick works because import silently 'becomes' the other user (in
>effect, it is logging in as that other user for you).
>
>
>there is an easier way to do this that works with 7.0 and up on all
platforms in
>sqlplus. If a user has "CREATE ANY PROCEDURE" and "EXECUTE ANY PROCEDURE"
(eg:
>a DBA), the following script works well:
>[security bomb sniped, sorry]
>SQL> @dogrant scott emp all public
>
>user is "TKYTE"
>old 1: create procedure &1..dba_parse_$$( p_cur in number, p_str in
varchar2 )
>new 1: create procedure scott.dba_parse_$$( p_cur in number, p_str in
varchar2
>)
>
>Procedure created.
>
>old 2: where owner = upper('&1') and table_name = upper('&2')
>new 2: where owner = upper('scott') and table_name = upper('emp')
>
>no rows selected
>
>old 6: sql_stmt := 'grant &3 on &1..&2 to &4';
>new 6: sql_stmt := 'grant all on scott.emp to public';
>old 7: &1..dba_parse_$$( exec_cursor, sql_stmt );
>new 7: scott.dba_parse_$$( exec_cursor, sql_stmt );
>
>PL/SQL procedure successfully completed.
>
>old 2: where owner = upper('&1') and table_name = upper('&2')
>new 2: where owner = upper('scott') and table_name = upper('emp')
>that shows that it worked (the grants were in fact given) without logging
in as
>the other user.
>
>Thomas Kyte
>tkyte_at_us.oracle.com
>Oracle Service Industries
>Reston, VA USA
>
>--
>http://govt.us.oracle.com/ -- downloadable utilities
>
>---------------------------------------------------------------------------
-
>Opinions are mine and do not necessarily reflect those of Oracle
Corporation
>
Received on Fri Apr 16 1999 - 12:27:29 CDT
 |
 |