Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: 9iDB Security Hole?
Nuno,
You're missing something which is not
necessarily obvious.
How many systems still create users with:
grant connect to userX identified by passwordX;
Despite the fact that roles DBA, RESOURCE and CONNECT have been contra-indicated for the last 5 years or so.
The CONNECT role includes the CREATE VIEW privilege.
-- Jonathan Lewis http://www.jlcomp.demon.co.uk Author of: Practical Oracle 8i: Building Efficient Databases Next Seminar - Australia - July/August http://www.jlcomp.demon.co.uk/seminar.html Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html Nuno Souto wrote in message ...Received on Thu Apr 18 2002 - 02:35:41 CDT
>
>If I understood and tested the problem correctly, the
>security hole shows up when a user has:
>
>1- CREATE SESSION privilege.
>2- CREATE VIEW privilege.
>3- The user creates a view on a non-authorized table using ANSI join
syntax.
>
>Now, in a normal production environment, you'd most definitely NOT
>grant all users the privilege to create their own views?
>Which basically means you'd not have this problem at all.
>
>Or am I also missing something obvious?