Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Is Statspack a Security Problem?

Is Statspack a Security Problem?

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Wed, 24 Jul 2002 07:23:28 -0800
Message-ID: <F001.004A0D97.20020724072328@fatcity.com> 





To wit:


$grep -i grant spctab.sql

grant select       on STATS$SNAPSHOT_ID  to  PUBLIC;
grant select on        STATS$DATABASE_INSTANCE  to  PUBLIC;
grant select on        STATS$SNAPSHOT  to  PUBLIC;
grant select on        STATS$FILESTATXS  to  PUBLIC;
grant select on        STATS$TEMPSTATXS  to  PUBLIC;
grant select on        STATS$LATCH  to  PUBLIC;
grant select on        STATS$LATCH_CHILDREN  to  PUBLIC;
grant select on        STATS$LATCH_PARENT  to  PUBLIC;
grant select on        STATS$LATCH_MISSES_SUMMARY  to  PUBLIC;
grant select on        STATS$LIBRARYCACHE  to  PUBLIC;
grant select on        STATS$BUFFER_POOL_STATISTICS  to  PUBLIC;
grant select on        STATS$ROLLSTAT  to  PUBLIC;
grant select on        STATS$ROWCACHE_SUMMARY  to  PUBLIC;
grant select on        STATS$SGA    to  PUBLIC;
grant select on        STATS$SGASTAT  to  PUBLIC;
grant select on        STATS$SYSSTAT  to  PUBLIC;
grant select on        STATS$SESSTAT  to  PUBLIC;
grant select on        STATS$SYSTEM_EVENT  to  PUBLIC;
grant select on        STATS$SESSION_EVENT  to  PUBLIC;
grant select on        STATS$BG_EVENT_SUMMARY  to  PUBLIC;
grant select on        STATS$WAITSTAT  to  PUBLIC;
grant select on        STATS$ENQUEUESTAT  to  PUBLIC;
grant select on        STATS$SQL_SUMMARY  to  PUBLIC;
grant select on        STATS$SQLTEXT  to  PUBLIC;
grant select on        STATS$SQL_STATISTICS  to  PUBLIC;
grant select on        STATS$LEVEL_DESCRIPTION   to  PUBLIC;
grant select on        STATS$IDLE_EVENT   to  PUBLIC;
grant select on        STATS$PARAMETER  to  PUBLIC;
grant select on        STATS$STATSPACK_PARAMETER  to  PUBLIC;
-----------------------------------------------------------------------------------------------


Notice the grants on stats$sqltext and stats$sql_summary.  Should anyone who logs into the database be able to see nearly SQL run against it.  Oracle  appears to truncate alter user statements so that one cannot find 'alter user blatz identified by password;'  but one may stumble on  update sal_table
set sal = 100 where empoyee_id = 5;'  or something to that effect.



Ian MacGregor


Stanford Linear Accelerator Center


ian_at_SLAC.Stanford.edu





-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: MacGregor, Ian A.


  INET: ian_at_SLAC.Stanford.EDU


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Jul 24 2002 - 10:23:28 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US