all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
- From: "Charles Schultz" <sacrophyte@xxxxxxxxx>
- To: oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Mon, 29 Oct 2007 13:00:32 -0500
While trying to figure out how to give our data modelers access to read any
object, we came across this little caveat where they need "CREATE ANY
TRIGGER" to see triggers in all_objects. Ironically, we can grant them
"SELECT ANY DICTIONARY" and they can find the triggers from dba_objects, but
since they are using a canned app that hardcodes all_objects, that was not
happening.
But, why would you have to have a relatively powerful system privilege just
to see triggers? The relevant part of all_objects is:
or
(
o.type# in (12) /* trigger */
and
exists (select null from v$enabledprivs
where priv_number in (
-152 /* CREATE ANY TRIGGER */
)
)
)
What about priv_number 237 (SELECT ANY DICTIONARY)? Or any other innocuous
priv?
In doing some research, I came across David Litchfield's paper on security:
http://securityvulns.com/files/ohh-indirect-privilege-escalation.pdf
Also, Pete Finigans:
http://www.pentest.co.uk/documents/oracle-security.htm
I appreciated Alex Gorbachev's take on the fiasco with SYS and authid as
well:
http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sysdba-security-hole
I am sure the issue with all_objects has been addressed, but googling for
specific information is like finding a needle in a haystack.
--
Charles Schultz
Other related posts:
