Re: Trying to change user's password using PL/SQL procedure.

From: Thomas Kyte <tkyte_at_us.oracle.com>
Date: Wed, 23 Sep 1998 16:43:25 GMT
Message-ID: <360b2461.6017492_at_192.86.155.100>

A copy of this was sent to Vijay Damodaran <vijayd_at_nortel.com> (if that email address didn't require changing) On Wed, 23 Sep 1998 10:34:58 -0500, you wrote:

>Hi,
>
>I have written a procedure which will be called by Dev2000 forms
>application to change a user's passwd.
>I am using Oracle 7.3.2 and PL/SQL 2.2.3. The procedure is as follows
>and currently contains a lot of
>debug messages.
>
>The procedure calls "alter user ..." using dbms_sql.execute.
>
>The steps that I took to implement this procedure are:
> 1. Logged in to SQLPlus as "gsmdba" (Does not have DBA privilege) and
>compiled the procedure
> "ChangePasswd". No errors.
> 2. Created public synonym "ChangePasswd" for "gsmdba.ChangePasswd".
> 3. Granted execute on "ChangePasswd" to public.
>
> The problem is that I can only change the passwd for gsmdba with this
>procedure. Even when I login
> as someone else, I can change passwd for gsmdba, but not for the user
>whom I logged in as. I seems
> as if the procedure executes as the owner of the procedure.
>

thats right -- procedures execute as OWNER, not as caller (thats why you can create a table, write a procedure that inserts into the table and grant execute on that procedure without having to grant INSERT on the table to all involved...)

How to fix your problem?

grant alter user to the owner of this procedure
remove the a_userid in parameter from the procedure
replace all references to a_userid with USER instead

That way, it can change any users password HOWEVER since it only uses the USER psuedo variable it will only change the password for the person currently logged in (so they cannot use it to change someone elses password as they are doing now)...

>
> Can u tell me why this happens??
>
> Thanks,
>
> VJ.
>
>--------------------

[snip]

Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Herndon VA

--
http://govt.us.oracle.com/    -- downloadable utilities
 
----------------------------------------------------------------------------
Opinions are mine and do not necessarily reflect those of Oracle Corporation
 
Anti-Anti Spam Msg: if you want an answer emailed to you, 
you have to make it easy to get email to you.  Any bounced
email will be treated the same way i treat SPAM-- I delete it.

Received on Wed Sep 23 1998 - 18:43:25 CEST

This message: [ Message body ]
Next message: Michael Angelo: "What has happened to ORACLE-L email List?"
In reply to Vijay Damodaran: "Trying to change user's password using PL/SQL procedure."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message