Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle security vulnerability, nuisance, or paranoia?

Re: Oracle security vulnerability, nuisance, or paranoia?

From: <joel-garry_at_home.com>
Date: 10 Jan 2005 16:08:02 -0800
Message-ID: <1105402082.320459.183700@f14g2000cwb.googlegroups.com> 






casey.kirkpatr..._at_gmail.com wrote:



>

> My question: isn't this a bit of a security flaw that a user who does

> *not* have UPDATE access to a table, and should *ONLY* be able to

> SELECT from the table, can still open a *FOR UPDATE* cursor against

> that table, and thus obtain exclusive locks on the table's rows?




This is a feature, not a bug.  Kind of like, you browse into a ticket
vendor and discover they have front-row seats for David Bowie's next
concert, but won't let you actually update it to "sold" until you've
submitted payment info, but you wouldn't want somebody else to update
it while you are fumbling for your credit card, right?  And someone
else might be queued up for it in case you decide not to buy?  (Not
that any ticket apps are actually coded that way, but they could be...)



Lock exclusion and update exclusion are two different things.



Of course, if your application doesn't try to do something like this,
fix the application.  It is only a denial of service attack if you let
it be, not inherent to Oracle.



jg

--
@home.com is bogus.
I think lying to investors should be punished automatically.
http://www.signonsandiego.com/uniontrib/20050109/news_1b9dura.html


Received on Mon Jan 10 2005 - 18:08:02 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US