Re: PUBLIC privileges on XDB$ACL

• From: <david@xxxxxxxxxxxxxxxxxxxx>
• To: <niall.litchfield@xxxxxxxxx>, <rjoralist2@xxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 19 Jul 2012 17:08:36 +0100

Hey all,

> Indeed. That line is there in 10.2 as well. In 11.2 there's a comment 
> about
> removing the privilege
> *Rem    sidicula    01/13/07 - Restrict privileges on ACL tab*

From what I can gather from everyone's responses 10gR1 (and 9x etc) grants 
*all* whereas 10gR2 grants only select, insert, update and delete. The 
difference is small but important. As an advisory to anyone with the INDEX 
privilege still in place on this table for PUBLIC I'd recommend revoking 
it - this opens a hole that allows people to run PL/SQL code with XDB 
privileges. This could pose a problem to some installations as XDB can 
execute DBMS_RLS and therefore an attacker could effectively disable any 
virtual private databases on the server.

Cheers,
David 

--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: PUBLIC privileges on XDB$ACL
    • From: Rich Jesse

• References:
  • RE: ASM on Linux 6
    • From: Gillfillan, Marianne J.
  • Re: ASM on Linux 6
    • From: Tim Hall
  • PUBLIC privileges on XDB$ACL
    • From: david
  • Re: PUBLIC privileges on XDB$ACL
    • From: Rich Jesse
  • Re: PUBLIC privileges on XDB$ACL
    • From: Niall Litchfield

Other related posts:

• » PUBLIC privileges on XDB$ACL- david
• » Re: PUBLIC privileges on XDB$ACL- Rich Jesse
• » Re: PUBLIC privileges on XDB$ACL- David Fitzjarrell
• » Re: PUBLIC privileges on XDB$ACL- Niall Litchfield
• » Re: PUBLIC privileges on XDB$ACL- David Fitzjarrell
• » Re: PUBLIC privileges on XDB$ACL - david
• » Re: PUBLIC privileges on XDB$ACL- Rich Jesse
• » Re: PUBLIC privileges on XDB$ACL- Subodh Deshpande
• » Re: PUBLIC privileges on XDB$ACL- david
• » Re: PUBLIC privileges on XDB$ACL- Subodh Deshpande

1. Home
2. oracle-l
3. Archive
4. 07-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---