granting sys objects with grant option in 11.2.0.3 the grant option has no effect
From: <Kurt-Franke_at_web.de>
Date: Tue, 21 Feb 2012 15:08:44 +0100 (CET)
Message-ID: <425526404.4014255.1329833324163.JavaMail.fmail_at_mwmweb047>
Hello all, I detected a problem as described by testcase: (tested in following Installations) Linux x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production Microsoft Windows x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production Linux IA (32-bit) - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0- Production The problem did not occure on 11.2.0.2 or previous Testcase: create user ttt_user identified by asdfghjk; grant create session to ttt_user; grant execute on dbms_output to ttt_user with grant option; create user ttt2_user identified by asdfghjk; connect ttt_user/asdfghjk -- execute privilege is there exec dbms_output.enable -- but grant option is
Date: Tue, 21 Feb 2012 15:08:44 +0100 (CET)
Message-ID: <425526404.4014255.1329833324163.JavaMail.fmail_at_mwmweb047>
Hello all, I detected a problem as described by testcase: (tested in following Installations) Linux x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production Microsoft Windows x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production Linux IA (32-bit) - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0- Production The problem did not occure on 11.2.0.2 or previous Testcase: create user ttt_user identified by asdfghjk; grant create session to ttt_user; grant execute on dbms_output to ttt_user with grant option; create user ttt2_user identified by asdfghjk; connect ttt_user/asdfghjk -- execute privilege is there exec dbms_output.enable -- but grant option is
missed grant execute on sys.dbms_output to ttt2_user; *ERROR at line 1: ORA-01031: insufficient privileges This problem did not occure with select privilege on a sys table. It also did not occure with execute privilege on a user package. We use this feature for a special admin user in a software system with tenant isolation where the isolation is done by using separate databse schemas for each tenant. The admin user is there tocreate new tenants (a very complex installation proedure) and need to granta couple of execute privileges on sys pacakges. Does anyone heard of this problem ? Is there any mechanism to fall back to previous fucntrional behaviour - i. e. seting a hidden parameter, setting a special event etc. ? (I`m argueing the ignoring of the grant option with execute privilege on sys objects is a work around due to a security problem occured later) TIA kf
-- http://www.freelists.org/webpage/oracle-lReceived on Tue Feb 21 2012 - 08:08:44 CST