Re: PUBLIC privileges on XDB$ACL
From: David Fitzjarrell <oratune_at_yahoo.com>
Date: Thu, 19 Jul 2012 06:51:01 -0700 (PDT)
Message-ID: <1342705861.85756.YahooMailNeo_at_web121605.mail.ne1.yahoo.com>
I see no such grant in catqm.sql in 10.2 or 11.2; I expect that this was version 9 behavior and was corrected in later releases to close possible security holes. I do not have a 10.1 installation to check.
From: "david_at_databasesecurity.com" <david_at_databasesecurity.com> To: oracle-l_at_freelists.org
Sent: Wednesday, July 18, 2012 8:31 PM
Subject: PUBLIC privileges on XDB$ACL
Date: Thu, 19 Jul 2012 06:51:01 -0700 (PDT)
Message-ID: <1342705861.85756.YahooMailNeo_at_web121605.mail.ne1.yahoo.com>
I see no such grant in catqm.sql in 10.2 or 11.2; I expect that this was version 9 behavior and was corrected in later releases to close possible security holes. I do not have a 10.1 installation to check.
David Fitzjarrell
From: "david_at_databasesecurity.com" <david_at_databasesecurity.com> To: oracle-l_at_freelists.org
Sent: Wednesday, July 18, 2012 8:31 PM
Subject: PUBLIC privileges on XDB$ACL
Hey all,
I'm trying to track down the source of a overly permissive privilege issue
on XDB$ACL. At about Oracle 9.2 when Oracle XML Database is installed it
seems catqm.sql (or one of its sub-scripts) executed
"grant all on XDB.XDB$ACL to public"
Current version of Oracle don't, but I'm trying to work out if earlier or
later versions also did this too. Any help would be very much appreciated!
Thanks,
David
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jul 19 2012 - 08:51:01 CDT