Re: PL/SQL Package Execution Privileges

Sybrand Bakker wrote:

> On Thu, 6 Feb 2003 16:28:27 -0000, Jeremy Ovenden
> <newspostings_at_hazelweb.co.uk> wrote:
>
> >Question: if there is enough info here, how should I set this up? There
> >are some users in the system that need to be able to change the
> >passwords of other users (i.e. to reset them in the event of the user
> >forgetting them). This is a web-based application using pl/sql toolkit.
>
> You should NOT set this up, unless you want to build applications
> which are vulnerable for attacks.
>
> It is also not possible to do something for which you don't have the
> privilege. You can get around it, but you will end up using much more
> powerful backdoors.
> And you state it is a web-based application. I guess in my company I
> would even propose that, I would be at least frowned upon and get a
> bad reputation.
>
> Sybrand Bakker, Senior Oracle DBA
>
> To reply remove -verwijderdit from my e-mail address

Look at setting up a specific role with a password and then assigning that role to the one or two people that are authorized for to exercise that privilege.

Also consider ... create a procedure owned by SYS ... and grant execute on the privilege to specific users. The procedure should take full advantage of user-id, terminal, program, etc. (stuff in v_$session) to validate the user beyond the normal password.

Daniel Morgan Received on Thu Feb 06 2003 - 14:56:23 CST