| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
While trying to figure out how to give our data modelers access to read any
object, we came across this little caveat where they need "CREATE ANY
TRIGGER" to see triggers in all_objects. Ironically, we can grant them
"SELECT ANY DICTIONARY" and they can find the triggers from dba_objects, but
since they are using a canned app that hardcodes all_objects, that was not
happening.
But, why would you have to have a relatively powerful system privilege just to see triggers? The relevant part of all_objects is:
or
(
o.type# in (12) /* trigger */
and
exists (select null from v$enabledprivs
where priv_number in (
-152 /* CREATE ANY TRIGGER */
)
)
What about priv_number 237 (SELECT ANY DICTIONARY)? Or any other innocuous priv?
In doing some research, I came across David Litchfield's paper on security: http://securityvulns.com/files/ohh-indirect-privilege-escalation.pdf
Also, Pete Finigans:
http://www.pentest.co.uk/documents/oracle-security.htm
I appreciated Alex Gorbachev's take on the fiasco with SYS and authid as
well:
http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sysdba-security-hole
I am sure the issue with all_objects has been addressed, but googling for specific information is like finding a needle in a haystack.
-- Charles Schultz -- http://www.freelists.org/webpage/oracle-lReceived on Mon Oct 29 2007 - 13:00:32 CDT
 |
 |