Re: PUBLIC privileges on XDB$ACL
From: Rich Jesse <rjoralist2_at_society.servebeer.com>
Date: Thu, 19 Jul 2012 14:36:33 -0500 (CDT)
Message-ID: <73463f29f7f566d091760928027ee546.squirrel_at_society.servebeer.com>
David writes:
> *all* whereas 10gR2 grants only select, insert, update and delete. The
> difference is small but important. As an advisory to anyone with the INDEX
> privilege still in place on this table for PUBLIC I'd recommend revoking
> it - this opens a hole that allows people to run PL/SQL code with XDB
> privileges. This could pose a problem to some installations as XDB can
> execute DBMS_RLS and therefore an attacker could effectively disable any
> virtual private databases on the server.
Date: Thu, 19 Jul 2012 14:36:33 -0500 (CDT)
Message-ID: <73463f29f7f566d091760928027ee546.squirrel_at_society.servebeer.com>
David writes:
>>From what I can gather from everyone's responses 10gR1 (and 9x etc) grants
> *all* whereas 10gR2 grants only select, insert, update and delete. The
> difference is small but important. As an advisory to anyone with the INDEX
> privilege still in place on this table for PUBLIC I'd recommend revoking
> it - this opens a hole that allows people to run PL/SQL code with XDB
> privileges. This could pose a problem to some installations as XDB can
> execute DBMS_RLS and therefore an attacker could effectively disable any
> virtual private databases on the server.
Interesting! This is one reason why I'm adamant about "deinstalling" all unnecessary modules prior to my upgrade to 11.2. Some necessary ones, too, which I will install manually after the upgrade is complete, even though it looks like this particular issue is accounted for in the upgrade script (if it's "xdbpatch.sql" in 11.2.0.3).
Thanks David!
Rich
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 19 2012 - 14:36:33 CDT