Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Discovered way to grant/revoke any right from any user!
On Fri, 16 Apr 1999 19:27:29 +0200, "Sybrand Bakker"
<postbus_at_sybrandb.demon.nl> wrote:
>.....[SNIPed comments about potential security loophole,
> demonstrated by another tkyte's brilliant example].....
>I have seen a privilege called 'become user'. Yet I didn't see any command
>to accomplish that (except during imp of course). This seems to me a more
>legitimate way to address this. On some operating systems (Vax/VMS, Unix)
>this is working well. Does a similar command exist or is it in the 'next
>version'?
It is undocumented ALTER SESSION variant:
ALTER SESSION SET CURRENT_SCHEMA = <user_name>
With it (provided you have been granted BECOME USER sys privilege) you can change your current schema to somone elses schema. However this doesn't mean that you also get the schema owner's privileges - you still act under your own privileges. So with it you still can't connect to someone elses schema and grant any privileges on its objects, unles you have been given those privileges with ADMIN OPTION.
This command merely eliminates the need to specify the owner name when referencing objects outside your own schema. Consider the following:
SQL> connect system/manager
Connected.
SQL> select count(*) from emp;
select count(*) from emp
*
SQL> select count(*) from scott.emp;
COUNT(*)
14
SQL> alter session set current_schema=scott;
Session altered.
SQL> select count(*) from emp;
COUNT(*)
14
SQL> grant select on emp to public;
grant select on emp to public
*
>The second question is quite obvious, and it is probably a feature request:
>couldn't we make sure Oracle closes this loophole in the near future.
>
>Best regards,
>
>Sybrand Bakker, Oracle DBA
Regards,
Jurij Modic <jmodic_at_src.si>
Certified Oracle7 DBA (OCP)