Home » RDBMS Server » Security » PUBLIC Mistery
icon11.gif  PUBLIC Mistery [message #269384] Fri, 21 September 2007 22:10 Go to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
AOA
Everybody would be with me in that
Oracle created a PUBLIC group by default and a lot of privs are granted to public. So any user creatd in database have all the privs which public have.
Is it mistery.

After that there may be possible SQL Injection through these privs. Why not oracle eliminate it or give the option to set it accordingly......
Am I right?


Munir
OCP DBA9i
Re: PUBLIC Mistery [message #269386 is a reply to message #269384] Fri, 21 September 2007 23:05 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>Oracle created a PUBLIC group by default and a lot of privs are granted to public
>After that there may be possible SQL Injection through these privs.

Demonstrate how any vital security can be breached using default PUBLIC access via SQL injection or by direct access to database.

Re: PUBLIC Mistery [message #269406 is a reply to message #269384] Sat, 22 September 2007 01:31 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
And if you find some, then it's up to you to remove the privileges from PUBLIC.

Regards
Michel
Re: PUBLIC Mistery [message #269435 is a reply to message #269406] Sat, 22 September 2007 05:26 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
AOA
Dear I know a lot of such hurdles that a PUBLIC has such privs to access the database.
Even an ordaniary user can become DBA . I have tested it. It is sure.

oracle critical patch best describe the vulnerabilities or security holes.
For more information u can check
http://red-database.com

Munir
Re: PUBLIC Mistery [message #269459 is a reply to message #269435] Sat, 22 September 2007 07:51 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Then apply CPU!

Regards
Michel
Re: PUBLIC Mistery [message #269973 is a reply to message #269459] Tue, 25 September 2007 05:00 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Applying CPU.......
Why But perhaps it is the only solution.....

But Why PUBLIC have so many privs by default.
I think it is useless.
We can use ROLES effectively.


Am i right?

Regards,
Re: PUBLIC Mistery [message #269976 is a reply to message #269973] Tue, 25 September 2007 05:02 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Remove the unused privileges. What's the problem with that?

Regards
Michel
Re: PUBLIC Mistery [message #269979 is a reply to message #269976] Tue, 25 September 2007 05:10 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Listing the unused privs is a great tiresome work. Alsmost it is very hard or even impossilble.
And we do not know what privs are?.....


Re: PUBLIC Mistery [message #269997 is a reply to message #269979] Tue, 25 September 2007 06:22 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Remove all privileges from PUBLIC and see what is not working, then add the privilege and so on.
There you will be in the same situation than if there was no privilege to PUBLIC.
Isn't this what you want?

Regards
Michel
Re: PUBLIC Mistery [message #270378 is a reply to message #269997] Wed, 26 September 2007 12:58 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Yes it is ....a solution.
But I think it is not a comprehensive approach.

But my question was that "PUBLIC" is a mistery....

Why oracle include it with a lot of privs. Why it was necessary to include it......

Re: PUBLIC Mistery [message #270384 is a reply to message #270378] Wed, 26 September 2007 13:28 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
  1. History
  2. Backward compatibility
  3. Some packages defined with "authid current_user" need to be sure that anyone who has been granted the privilege to execute it can execute dependant packages
  4. Lack of study on consequences
  5. Laziness
  6. ...

4 and 5 lead to 2 in next versions and to 1 later.
This is the case now with some packages like UTL_FILE that are granted to PUBLIC but DB Console/Grid Control automatically reports them as hole of security.

Regards
Michel

Re: PUBLIC Mistery [message #270589 is a reply to message #270384] Thu, 27 September 2007 11:04 Go to previous messageGo to next message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Yes I agree..........
Re: PUBLIC Mistery [message #270591 is a reply to message #269384] Thu, 27 September 2007 11:07 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
>Yes I agree..........
I'll sleep better tonight knowing that you agree with Michel.
Re: PUBLIC Mistery [message #270895 is a reply to message #270591] Fri, 28 September 2007 05:09 Go to previous message
smunir362
Messages: 310
Registered: September 2007
Senior Member
Thanks GOD
U sleep ......
Previous Topic: Read Privlige on Code
Next Topic: Audit Vault Configuration : Http Connection error: 500
Goto Forum:
  


Current Time: Thu Mar 28 09:19:57 CDT 2024