FW: granting sys objects with grant option in 11.2.0.3 the grant option has no effect
- From: Kurt-Franke@xxxxxx
- To: oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2012 15:31:03 +0100 (CET)
next try, hoping the formatting information is no longer lost
Hello all,
I detected a problem as described by testcase: (tested in following
Installations)
Linux x86 64-bit - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 -
64bit Production
Microsoft Windows x86 64-bit - Oracle Database 11g Enterprise Edition Release
11.2.0.3.0 - 64bit Production
Linux IA (32-bit) - Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 -
Production
The problem did not occure on 11.2.0.2 or previous
Testcase:
create user ttt_user identified by asdfghjk;
grant create session to ttt_user;
grant execute on dbms_output to ttt_user with grant option;
create user ttt2_user identified by asdfghjk;
connect ttt_user/asdfghjk
-- execute privilege is there
exec dbms_output.enable
-- but grant option is missed
grant execute on sys.dbms_output to ttt2_user;
*
ERROR at line 1:
ORA-01031: insufficient privileges
This problem did not occure with select privilege on a sys table.
It also did not occure with execute privilege on a user package.
We use this feature for a special admin user in a software system with tenant
isolation
where the isolation is done by using separate databse schemas for each tenant.
The admin user is there to create new tenants (a very complex installation
proedure) and
need to grant a couple of execute privileges on sys pacakges.
Does anyone heard of this problem ?
Is there any mechanism to fall back to previous fucntrional behaviour -
i. e. seting a hidden parameter, setting a special event etc. ?
(I`m argueing the ignoring of the grant option with execute privilege on sys
objects
is a work around due to a security problem occured later)
TIA
kf
--
//www.freelists.org/webpage/oracle-l
Other related posts:
- » FW: granting sys objects with grant option in 11.2.0.3 the grant option has no effect - Kurt-Franke
