|There are 56 visitors online|
I chatted with Alex Gorbachev on email about this issue, privet Alex! and today he has posted the issue to his blog in a post titled "Calling Definer-Rights Procedure as SYSDBA - Security Hole?". This is summed up as an issue where SYS AS SYSDBA seems to default to invoker rights irrespective of whether the procedure it is executing is definer rights. See Alex's examples for details. I suggested some further tests to Alex to find out if its a SYS issue as well and also to create the definer rights procedure as the lower level user rtaher than as SYS owned by the other user (shouldnt matter). I am not convinced its a security issue as the issue is with SYS AS SYSDBA so you canot escalate higher than that.
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Home and Archives
Other useful blogs
Syndication - Feeds