Database Reference
In-Depth Information
pi_id,
pi_secret);
end;
/
The LOWPRIVS account has a direct grant to select and insert into the table APPOWNER.critical_table. Now
if LOWPRIVS executes the procedure everything is fine. However if someone changes the code to perform some
undesired operation things can go wrong. For example:
SQL> CREATE OR REPLACE PROCEDURE lowprivs.harmless(
2 pi_id appowner.critical_table.id%type,
3 pi_secret appowner.critical_table.secretData%type)
4 authid current_user
5 as
6 begin
7 execute immediate 'truncate table appowner.critical_table';
8 end;
9 /
Procedure created.
Thanks to the
execute immediate
statement privilege checks are deferred to run time and the procedure
compiles normally. If LOWPRIVS executes the procedure nothing happens; the malicious developer has to wait for
someone with higher privileges to execute the code.
LOWPRIVS> exec lowprivs.harmless(3, 'evil lowprivs')
BEGIN lowprivs.harmless(3, 'evil lowprivs'); END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "LOWPRIVS.HARMLESS", line 7
ORA-06512: at line 1
Disaster will strike when the higher privileged user—HIGHPRIVS—executes the procedure!
HIGHPRIVS> exec lowprivs.harmless (4, 'test highprivs #2')
PL/SQL procedure successfully completed.
APPOWNER> select count(1) from appowner.critical_table;
COUNT(1)
----------
0
APPOWNER>
This is definitely not what you want. To prevent such code from performing undesired operations by exploiting
the higher privileges of the invoking user Oracle designed an additional security layer around invoker rights:
inheritance of privileges. In order for an invoker with higher privileges to grant those to the called procedure the
Search WWH ::
Custom Search