Re: view privilege

From: Paul Drake <bdbafh_at_gmail.com>
Date: Mon, 25 Apr 2005 15:33:48 -0400
Message-ID: <910046b405042512332d2f9afb@mail.gmail.com>

On 4/25/05, Ray Stell <stellr_at_cns.vt.edu> wrote:

>=20

> From the 9.2 docs:

>=20

> The owner of the view (whether it is you or another user) must have
> been explicitly granted privileges to access all objects referenced in
> the view definition. The owner cannot have obtained these privileges
> through roles.

>=20

> What is the logic behind the role restriction? Why is a role less
> secure in the ora architecture? Thanks.
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Ray Stell stellr_at_vt.edu (540) 231-4109 Tempus fugit 28^D

Roles, if granted, may or may not be enabled in a user session at runtime. Roles may have had their sys_privs changed between compile time and runtime= .
Sounds to me like roles leave holes (for privilege escalation).

Before compiling the view, issue the following:

SQL> set role none;

hth.

Paul

--=20
#/etc/init.d/init.cssd stop
-- f=3Dma, divide by 1, convert to moles.

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Apr 25 2005 - 15:42:22 CDT