Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 44 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » January 2007 » Definer rights AS SYSDBA security issue?

[Previous entry: "new paper on oracle as sysdba connection weakness"] [Next entry: "Critical Patch Update January 2007 is out"]

Definer rights AS SYSDBA security issue?

January 16th, 2007 by Pete

I chatted with Alex Gorbachev on email about this issue, privet Alex! and today he has posted the issue to his blog in a post titled "Calling Definer-Rights Procedure as SYSDBA - Security Hole?". This is summed up as an issue where SYS AS SYSDBA seems to default to invoker rights irrespective of whether the procedure it is executing is definer rights. See Alex's examples for details. I suggested some further tests to Alex to find out if its a SYS issue as well and also to create the definer rights procedure as the lower level user rtaher than as SYS owned by the other user (shouldnt matter). I am not convinced its a security issue as the issue is with SYS AS SYSDBA so you canot escalate higher than that.

January 2007

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!