Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Grant column

Re: Grant column

From: Jared Still <jkstill_at_gmail.com>
Date: Tue, 21 Dec 2004 17:14:07 -0800
Message-ID: <bf46380412211714ca366f4@mail.gmail.com> 





There are some interesting security implications around 
the issue of granting DML privs on columns.



Logon to a database and run this script:



drop table gt;



create table gt (

        last_name varchar2(20),
        first_name varchar2(20),
        salary number




)


/



insert into gt values('Simpson','Homer',100000);
insert into gt values('Flintstone','Fred',200000);
insert into gt values('Rubble','Barney',300000);





commit;



grant update(salary) on gt to scott;




Now, if Fred Flintstone logs on to the database as scott, he can
determine that Barney Rubble is making much more money than
he is. If he is patient, he can determine the exact figure.



Here's how:


begin


        update js001292.gt
        set salary = salary
        where last_name  = 'Rubble'
        and salary >= 300000;

        dbms_output.put_line('count: '  || sql%rowcount);

        rollback;





end;


/




Fred now knows that Barney is making at least 100K more
than he is.  Mr Slate is about to get an earful.


-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
--
http://www.freelists.org/webpage/oracle-l


Received on Tue Dec 21 2004 - 19:09:26 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US