0

I have procedure (procedureA) that is created in schema (schemaA). SchemaA user doesn't have any privilages only CONNECT role granted. ProcedureA is responsible for grant select,alter,update... privilages to specific table in other schemas to specific user. What I read in oracle doc (How Procedure Privileges Affect Invoker's Rights) is that procedure use owner rights and now I don't understand how it's possible to invoke this procedure by sys user since schemaA user doesn't have any rights. ProcedureA was created without AUTHID CURRENT_USER. After execute procedureA privilages are granted correctly.

Thanks

geek
  • 596
  • 8
  • 26
  • If the schema didn't have any privileges it wouldn't have been able to create a procedure; or were privileges revoked later? Are you only looking at roles, or system privileges (dba_sys_privs) and object privileges (dba_tab_privs) too? Privileges from roles wouldn't have any effect in an owners-rights procedure anyway, only direct grants. – Alex Poole Mar 10 '15 at 15:59
  • Hi Alex. Privilages were revoked after schema and procedure have been created. dba_tab_privs is also empty for schemaA. Thanks – geek Mar 10 '15 at 16:09

1 Answers1

1

In "Protecting Oracle Database 12c" by Paul Wright at page 91 under SYSDBA Phishing it is stated that a SYSDBA's privilege will pass through if a definer's rights procedure is invoked. (Found at Google books)

If that is true then when you use an account as SYSDBA (as is the case with SYS automatically), procedures in other schemas are run with invokers rights even if not defined.

Jon Tofte-Hansen
  • 794
  • 6
  • 16
  • I tried the above setup at an Oracle 11.2.0.3 database and it does exactly that: A SYSDBA session overrules definers rights in a procedure. – Jon Tofte-Hansen Mar 12 '15 at 09:37