Database Reference
In-Depth Information
That's good. GAOP is controlled and—guess what—it is not even allowed to see the existence of directories using
the DBA views—that is quite tight!
SQL> select * from dba_directories;
select * from dba_directories
*
ERROR at line 1:
ORA-00942: table or view does not exist
The problem is that GAOP allows the holder to grant itself privileges on SYS-owned directories via the universal
PUBLIC
role. For example, the holder can grant access to the directory holding patching scripts:
SQL> grant all on directory OPATCH_SCRIPT_DIR to public;
Grant succeeded.
The ability to grant to public should be removed from GAOP if it is to enforce the rule stated in ORA-01749, and
the restriction on SYS objects should include SYS directories. Additionally, GAOP can grant to its own roles as well as
to public, so there are two ways round ORA-01749, as shown in this next example:
sqlplus sys/a@192.168.1.3/pdborcl as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Mon Aug 12 18:19:55 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> create role gaoprole;
Role created.
SQL> grant gaoprole to gaoptest;
Grant succeeded.
SQL> sho user
USER is "SYS"
--
sqlplus gaoptest/lowsec@192.168.1.3/pdborcl
SQL*Plus: Release 12.1.0.1.0 Production on Mon Aug 12 18:19:45 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Last Successful login time: Fri Aug 02 2013 19:46:18 +01:00
