RE: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?

• From: "Powell, Mark D" <mark.powell@xxxxxxx>
• To: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
• Date: Mon, 29 Oct 2007 17:02:48 -0400

Security.  By default on the owner and DBA's can see trigger (and also
package body) source.
 
Triggers are often used for auditing.  If you can see what the trigger
does then you can write the DML to remove the generated trail.
 
There are ways to provide access to source code without granting DBA or
ANY privileges.  For developers we provide a modified version of the
user_source view that we then grant select on.

-- Mark D Powell -- 
Phone (313) 592-5148 

 


________________________________

        From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Charles Schultz
        Sent: Monday, October 29, 2007 2:01 PM
        To: oracle-l
        Subject: all_objects: anyone know why Oracle decided to only
make triggers viewable with "CREATE ANY TRIGGER" system priv?
        
        
        While trying to figure out how to give our data modelers access
to read any object, we came across this little caveat where they need
"CREATE ANY TRIGGER" to see triggers in all_objects. Ironically, we can
grant them "SELECT ANY DICTIONARY" and they can find the triggers from
dba_objects, but since they are using a canned app that hardcodes
all_objects, that was not happening. 
        
        But, why would you have to have a relatively powerful system
privilege just to see triggers? The relevant part of all_objects is:
            or
            (
               o.type# in (12) /* trigger */
               and
               exists (select null from v$enabledprivs 
                       where priv_number in (
                                              -152 /* CREATE ANY TRIGGER
*/
                                            )
                      )
            )
        
        
        What about priv_number 237 (SELECT ANY DICTIONARY)? Or any other
innocuous priv? 
        
        In doing some research, I came across David Litchfield's paper
on security:
        
http://securityvulns.com/files/ohh-indirect-privilege-escalation.pdf 
        
        Also, Pete Finigans:
        http://www.pentest.co.uk/documents/oracle-security.htm
        
        I appreciated Alex Gorbachev's take on the fiasco with SYS and
authid as well: 
        
http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sys
dba-security-hole
        
        I am sure the issue with all_objects has been addressed, but
googling for specific information is like finding a needle in a
haystack. 
        
        -- 
        Charles Schultz 

• Follow-Ups:
  • Re: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
    • From: Charles Schultz

• References:
  • all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
    • From: Charles Schultz

Other related posts:

• » all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
• » RE: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
• » Re: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?

1. Home
2. oracle-l
3. Archive
4. 10-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---