Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "new paper on oracle as sysdba connection weakness"] [Next entry: "Critical Patch Update January 2007 is out"]

Definer rights AS SYSDBA security issue?



I chatted with Alex Gorbachev on email about this issue, privet Alex! and today he has posted the issue to his blog in a post titled http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sysdba-security-hole - (broken link) Calling Definer-Rights Procedure as SYSDBA - Security Hole?. This is summed up as an issue where SYS AS SYSDBA seems to default to invoker rights irrespective of whether the procedure it is executing is definer rights. See Alex's examples for details. I suggested some further tests to Alex to find out if its a SYS issue as well and also to create the definer rights procedure as the lower level user rtaher than as SYS owned by the other user (shouldnt matter). I am not convinced its a security issue as the issue is with SYS AS SYSDBA so you canot escalate higher than that.