Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Why is Oracle letting me do this? Security issue?

Re: Why is Oracle letting me do this? Security issue?

From: Michael Krolewski <vandra_at_u.washington.edu>
Date: Tue, 20 Apr 1999 01:01:39 -0700
Message-ID: <371C3463.2A9FA812@u.washington.edu> 







PMG wrote:



> I'd love to find out what the official term for this, and the justification for


> it. It seems to be a loophole in security, since I can indirectly modify a table


> that I do not have direct permissions assigned.


>


> Pete


>





I believe this is not a loophole. The owner of the table is control directly the
processing of its data. The omission of specific cases or conditions is not a
security loophole but a coding mistake.



If in your example you did not wish for userX to update table B when table A is
updated, you need to add that into the code. If tableB should not be updated by the
owner of tableA, then the security system would have prevented it with a compile
error of the trigger.



The triggers are often used to guarentee data integrity, not security.




Mike Krolewski







> Andrew Babb wrote:


>


> > Hi,


> >


> > I think you will find that the trigger fires as the owner, and not as the


> > person performing the initial insert. Therefore, it is the schema of table A


> > performing the insert into table B, not User X performing the insert into


> > table B.


> >


> > Oracle does have an official term for this, which someone might be able to


> > provide, but I cannot remember immediately.


> >


> > Rgds


> > Andrew


> >





Received on Tue Apr 20 1999 - 03:01:39 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US