Database Reference
In-Depth Information
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Last Successful login time: Mon Aug 12 2013 21:28:35 +01:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> grant EXEMPT ACCESS POLICY to vpdtest;
Grant succeeded.
So
EM_EXPRESS_ALL
can grant itself the ability to bypass VPD.
EM_EXPRESS_ALL
is the default role used for EM
Express access, which needs to be able to do more than just READ data via
EM_EXPRESS_BASIC
role. It may come as a
surprise that this role can grant itself the ability to bypass VPD, especially for those believing VPD to be a strong form
of access control, and critically for those who have already checked to see if any users have
EXEMPT ACCESS POLICY
and were erroneously reassured by the fact that no users had the privilege. The fact is that some users can simply
grant this privilege to themselves, so implicitly they have the privilege.
Now it is time to revoke DBA and SYSDBA from public and tidy up after the testing that you have done in order to
return order to your systems, which requires a method of assessing the state of the privileges.
Defending against GAOP privilege escalation through directory privileges is made more difficult due to the
many public privileges that already exist, i.e., more than 38,000 in 12c. GAOP granting another one is not going to
raise eyebrows. Also,
DBA_TAB_PRIVS
does not have an
object_type
column, which makes identifying SYS-owned
directories more laborsome.
Here is the code to create a
DBA_OBJ_PRIV
view, which will also help in tidying up:
--AS SYS
CREATE OR replace VIEW dba_obj_privs AS select ue.name grantee, u.name owner , o.name object_name,
ur.name grantor , tpm.name privilege,
decode(mod(oa.option$,2), 1, 'YES', 'NO') grantable,
decode(bitand(oa.option$,2), 2, 'YES', 'NO') heirarchy,
OBJECT_TYPE
from sys.objauth$ oa, sys.obj$ o, sys.user$ u, sys.user$ ur, sys.user$ ue,
table_privilege_map tpm, DBA_OBJECTS
where oa.obj# = o.obj#
and oa.grantor# = ur.user#
and oa.grantee# = ue.user#
and oa.col# is null
and oa.privilege# = tpm.privilege
and u.user# = o.owner#
AND DBA_OBJECTS.OBJECT_ID=oa.obj#;
Then can do an automated statecheck of those object privileges.
SQL> select DBMS_SQLHASH.gethash('select * from dba_obj_privs', 2) from dual;
DBMS_SQLHASH.GETHASH('SELECT*FROMDBA_OBJ_PRIVS',2)
--------------------------------------------------------------------------------
853221EFF5462B80A31BAE4B347BA1B3
