What Niall said On Dec 12, 2013 3:15 AM, "Niall Litchfield" <niall.litchfield@xxxxxxxxx> wrote: > There isn't a security breach in the sense that User 2 gets access to data > that they didn't already have access to. It is however somewhat > counter-intuitive that you can run > > CREATE PRIVATE SYNONYM x for SCHEMA.OBJECT; > > and that someone else can utilize your synonym without explicit grants. > Doing so is somewhat daft of course.. > > > On Thu, Dec 12, 2013 at 8:49 AM, D'Hooge Freek <Freek.DHooge@xxxxxxxxx>wrote: > >> Hi, >> >> Why would that be fishy? >> user2 has received access on the underlying object, to which the private >> synonym points, directly from scott. >> So, no security breach. >> >> >> regards, >> >> -- >> Freek D'Hooge >> Uptime >> Oracle Database Administrator >> email: freek.dhooge@xxxxxxxxx >> tel +32(03) 451 23 82 >> http://www.uptime.be >> disclaimer: www.uptime.be/disclaimer.html >> >> >> >> >> On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote: >> >> All, >> >> Is there anyone other than myself that doesn't think this is right. >> For those of you who have missed it, like I did, when Oracle started >> evolving Fine Grained Access Controls (FGA) the role of private synonyms >> changed. Try this for starters and I'll make it easy: >> >> 1) install the scott account, we'll need emp. >> 2) create another account, any name you like, I'll use user1. >> 3) create a third account, I'll call it user2. >> 4) as scott grant select on emp to user1. >> 5) as scott grant select on emp to user2. >> 6) as user1 create a private synonym to scott.emp >> 7) as user2 "select * from user1.emp;" >> >> If you go back to a V8 database step 7 above will end in an ORA-00942. >> If your on V9 or higher, you get data. >> >> Does this sound fishy??? I've opened an itar with Oracle. They >> referenced note:174368.1 Policies on Synonyms. But this just seems wrong >> to me. Any other opinion??? >> >> >> Dick Goulet >> Senior Oracle DBA. >> >> > > > -- > Niall Litchfield > Oracle DBA > http://www.orawin.info >