Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?
Setting the compatible parameter has no effect (didn't think it would,
because it's designed to protect against the use of *structural* new
features, not syntax new features).
For example, setting it to 8.1.0 means you can't do this:
SQL> create undo tablespace blah datafile 'C:\blah01.dbf' size 5m;
create undo tablespace blah datafile 'C:\blah01.dbf' size 5m
*
ERROR at line 1:
ORA-00406: COMPATIBLE parameter needs to be 9.0.0.0.0 or greater
But it doesn't stop you using the syntax, you'll notice -just stops you creating the new structure itself.
Similarly, when you set compatible=8.1.0, the outer join syntax remains fully functional, because it's not dependent on any new structural features. So, for example:
SQL> connect / as sysdba
Connected.
SQL> show parameter compatible
NAME TYPE VALUE ------------------------------------ ----------- --------------------------- --- compatible string 8.1.0SQL> connect scott/tiger
COUNT(*)
14
And if the syntax is still supported, the bug is still exploitable by some nefarious user. Until it gets patched, there's nothing you can do about it as far as I can tell.
(Not sure why Niall couldn't get an 8.1-compatible database open. Just make sure you switch off db_cache_size and use db_block_buffers; sga_max_size mustn't be set; undo_management = manual; undo_retention not set, and it seems to work OK. There might have been some others I had to unset, too, but these are the ones that most spring to mind).
Regards
HJR
"Todd M. Helfter" <tmh_at_jumpgate.cc.purdue.edu> wrote in message
news:a9jk9h$66b$1_at_mozo.cc.purdue.edu...
>
> Can anyone think of an init.ora parameter to disable all users from having
access
> to the security hole? Something like "TURN_OFF_SQL92_BLAH_BLAH" or would
setting
> compatibility to 8.1.7 have the same effect?
>
> --
> Todd M. Helfter
> Database Analyst/Programmer
> Purdue University
> tmh_at_purdue.edu
Received on Wed Apr 17 2002 - 19:36:24 CDT