Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle security vulnerability, nuisance, or paranoia?

Re: Oracle security vulnerability, nuisance, or paranoia?

From: <joel-garry_at_home.com>
Date: 10 Jan 2005 16:08:02 -0800
Message-ID: <1105402082.320459.183700@f14g2000cwb.googlegroups.com>

casey.kirkpatr..._at_gmail.com wrote:

>
> My question: isn't this a bit of a security flaw that a user who does
> *not* have UPDATE access to a table, and should *ONLY* be able to
> SELECT from the table, can still open a *FOR UPDATE* cursor against
> that table, and thus obtain exclusive locks on the table's rows?

This is a feature, not a bug. Kind of like, you browse into a ticket vendor and discover they have front-row seats for David Bowie's next concert, but won't let you actually update it to "sold" until you've submitted payment info, but you wouldn't want somebody else to update it while you are fumbling for your credit card, right? And someone else might be queued up for it in case you decide not to buy? (Not that any ticket apps are actually coded that way, but they could be...)

Lock exclusion and update exclusion are two different things.

Of course, if your application doesn't try to do something like this, fix the application. It is only a denial of service attack if you let it be, not inherent to Oracle.

jg

--
@home.com is bogus.
I think lying to investors should be punished automatically.
http://www.signonsandiego.com/uniontrib/20050109/news_1b9dura.html
Received on Mon Jan 10 2005 - 18:08:02 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US