Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: [Q] security risk on "execute any procedure"???

Re: [Q] security risk on "execute any procedure"???

From: Sybrand Bakker <postbus_at_sybrandb.demon.nl>
Date: Wed, 02 Mar 2005 23:18:55 +0100
Message-ID: <mmec21hgcb2eaa265cm9dc4k2p9kvq37so@4ax.com> 





On 2 Mar 2005 12:38:31 -0800, aaa <mccdba_at_yahoo.com> wrote:



>I checked ORACLE database we have on 9ir2.  I found several users have "execute

>any procedure" right.  Can anyone tell me what kind of security risk for

>"execute any procedure"?





Consider the following (courtesy of Thomas Kyte)



The user with create any procedure privilege issues the following



create or replace procedure <any owner>.do_sql(sqlstr in varchar2) is
begin


execute immediate sqlstr;


end;



and


begin <any user>.do_sql('drop table emp cascade constraints'); end;




Now your user can issue whatever DDL command on <any user>'s schema,
and take over control. Your user is also not going to leave any
traces, as <any user> executes the procedures.



>

>If I already grant "select_catalog_role" and "execute_catalog_role", do I need

>grant "execute any procedure" privilege?

>

>Thanks.




Those roles affect the dictionary only, IIRC




--
Sybrand Bakker, Senior Oracle DBA


Received on Wed Mar 02 2005 - 16:18:55 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US