Re: Grant column

• From: Jared Still <jkstill@xxxxxxxxx>
• To: gogala@xxxxxxxxxxxxx
• Date: Tue, 21 Dec 2004 17:14:07 -0800

There are some interesting security implications around 
the issue of granting DML privs on columns.

Logon to a database and run this script:

drop table gt;

create table gt (
        last_name varchar2(20),
        first_name varchar2(20),
        salary number
)
/

insert into gt values('Simpson','Homer',100000);
insert into gt values('Flintstone','Fred',200000);
insert into gt values('Rubble','Barney',300000);

commit;

grant update(salary) on gt to scott;


Now, if Fred Flintstone logs on to the database as scott, he can
determine that Barney Rubble is making much more money than
he is. If he is patient, he can determine the exact figure.

Here's how:
begin

        update js001292.gt
        set salary = salary
        where last_name  = 'Rubble'
        and salary >= 300000;

        dbms_output.put_line('count: '  || sql%rowcount);

        rollback;

end;
/

Fred now knows that Barney is making at least 100K more
than he is.  Mr Slate is about to get an earful.

-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
--
//www.freelists.org/webpage/oracle-l

• References:
  • RE: Grant column
    • From: DENNIS WILLIAMS
  • Re: Grant column
    • From: Mladen Gogala

Other related posts:

• » Grant column
• » Re: Grant column
• » Re: Grant column
• » RE: Grant column
• » RE: Grant column
• » RE: Grant column
• » RE: Grant column
• » Re: Grant column
• » Re: Grant column

1. Home
2. oracle-l
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---