| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: grant to public
Jared.Still_at_radisys.com wrote:
>
> Not necessarily the public at large.
>
> My cousin Gabrielle in Berlin might be considered part of the public
> in the broad sense of the word, but unless she has access to your
> database, she won't be able to select on the table.
>
> People that *do* have access to your database however *will* be
> able to look at your table.
>
> Unless of course they don't have the 'CREATE SESSION' privilege
> either directly or indirectly. In that case, they will be out in the cold
> with Gabby.
>
> Jared
>
The problem is that connecting to a database is not that difficult. I am currently giving some thought to the thing, working (among other things) on a program to test Oracle security. For all the 'Can't break in' ads run by Oracle, the sad truth is that DBSNMP/DBSNMP allows you more often than not to connect to a database (if it fails, try OUTLN/OUTLN) - granted, it's not _strictly_ Oracle's fault but it usually takes a while to a DBA before s/he finds all backdoor entries. From there, any 'PUBLIC' object is accessible to you. Public database links are also accessible to you, and may allow you to connect elsewhere. To refer to another recent post about database cloning, a number of test databases, for which password security is often lax, are obtained by cloning - not only do they contain the same data (possibly only slightly out of date) as prod databases, but quite often also contain (public) database links to other prod databases, either left here by mistake or created to compare schemas. Not to mention that once you are connected, even with low privileges, you have access to ALL_USERS and it would really be no luck not to be able to log in as some username/username. Not that I am paranoid, just despaired by users.
-- Regards, Stephane Faroult Oriole Ltd -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: sfaroult_at_oriole.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Wed Jan 09 2002 - 14:41:13 CST
 |
 |