Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle security vulnerability, nuisance, or paranoia?
casey.kirkpatr..._at_gmail.com wrote:
>
> My question: isn't this a bit of a security flaw that a user who does
> *not* have UPDATE access to a table, and should *ONLY* be able to
> SELECT from the table, can still open a *FOR UPDATE* cursor against
> that table, and thus obtain exclusive locks on the table's rows?
This is a feature, not a bug. Kind of like, you browse into a ticket vendor and discover they have front-row seats for David Bowie's next concert, but won't let you actually update it to "sold" until you've submitted payment info, but you wouldn't want somebody else to update it while you are fumbling for your credit card, right? And someone else might be queued up for it in case you decide not to buy? (Not that any ticket apps are actually coded that way, but they could be...)
Lock exclusion and update exclusion are two different things.
Of course, if your application doesn't try to do something like this, fix the application. It is only a denial of service attack if you let it be, not inherent to Oracle.
jg
-- @home.com is bogus. I think lying to investors should be punished automatically. http://www.signonsandiego.com/uniontrib/20050109/news_1b9dura.htmlReceived on Mon Jan 10 2005 - 18:08:02 CST
![]() |
![]() |