联系:手机/微信(+86 17813235971) QQ(107644445)
作者:惜分飞©版权所有[未经本人同意,不得以任何形式转载,否则有进一步追究法律责任的权利.]
最近一个客户和我反馈,他们创建了一个只读用户(之时给了create session和select表权限),但是其中有部分表可以执行dml操作,我登录系统进行确认
SQL> SELECT PRIVILEGE, ADMIN_OPTION 2 FROM DBA_SYS_PRIVS 3 WHERE GRANTEE = 'ALL_READONLY' 4 UNION 5 SELECT PRIVILEGE, ADMIN_OPTION 6 FROM ROLE_SYS_PRIVS 7 WHERE ROLE IN 8 (SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE = 'ALL_READONLY') 9 UNION 10 SELECT PRIVILEGE, ADMIN_OPTION 11 FROM ROLE_SYS_PRIVS 12 WHERE ROLE IN (SELECT GRANTED_ROLE 13 FROM ROLE_ROLE_PRIVS 14 WHERE ROLE IN (SELECT GRANTED_ROLE 15 FROM DBA_ROLE_PRIVS 16 WHERE GRANTEE = 'ALL_READONLY')); PRIVILEGE ADM ---------------------------------------- --- CREATE SESSION NO
尝试对一个表做dml操作,确实可以对u1.t1表进行dml操作
SQL> conn all_readonly/PASSWORD Connected. SQL> update U1.T1 set SNAME='111_test' where sid='www.xifenfei.com'; 1 row updated. SQL> rollback; Rollback complete.
查看这个表的相关授权,关于all_readonly(只读用户)的授权,也确实只是授权了查询权限
SQL> SELECT GRANTEE,PRIVILEGE,OWNER,TABLE_NAME FROM dba_TAB_PRIVS WHERE TABLE_NAME ='T1' and GRANTEE='ALL_READONLY' GRANTEE PRIVILEGE OWNER TABLE_NAME -------------------- ---------------------------------------- -------------------- -------------------- ALL_READONLY SELECT U1 T1
既然t1这个表可以被dml操作,那是这个表是否还有其他授权,进一步查询该表授权(不限于ALL_REAONLY用户)
SQL> SELECT GRANTEE,PRIVILEGE,OWNER,TABLE_NAME FROM dba_TAB_PRIVS WHERE TABLE_NAME ='T1'; GRANTEE PRIVILEGE OWNER TABLE_NAME -------------------- ---------------------------------------- -------------------- -------------------- PUBLIC ALTER U1 T1 PUBLIC DELETE U1 T1 PUBLIC INDEX U1 T1 PUBLIC INSERT U1 T1 PUBLIC SELECT U1 T1 PUBLIC UPDATE U1 T1 PUBLIC REFERENCES U1 T1 PUBLIC ON COMMIT REFRESH U1 T1 PUBLIC QUERY REWRITE U1 T1 PUBLIC DEBUG U1 T1 PUBLIC FLASHBACK U1 T1 ALL_READONLY SELECT U1 T1 14 rows selected.
这下明确了,由于授权了u1.t1表的(insert,delete,update等)权限给public,导致其他用户也可以对这些表进行授权给public的所有操作.
不管任何原因,都不建议授权表/对象的操作给public,这样会导致登录该数据库的所有用户都具有这个权限,风险不可控
加我QQ
