-
加我公众号(orasos)
加我微信(17813235971)
加我QQ(107644445)
标签云
asm恢复 bbed bootstrap$ dul kcbzib_kcrsds_1 kccpb_sanity_check_2 kcratr_nab_less_than_odr MySQL恢复 ORA-00312 ORA-00704 ORA-00742 ORA-01110 ORA-01200 ORA-01555 ORA-01578 ORA-01595 ORA-600 2662 ORA-600 2663 ORA-600 3020 ORA-600 4000 ORA-600 4137 ORA-600 4193 ORA-600 4194 ORA-600 16703 ORA-600 kcbzib_kcrsds_1 ORA-600 KCLCHKBLK_4 ORA-600 kcratr_nab_less_than_odr ORA-600 kdsgrp1 ORA-15042 ORA-15196 ORACLE 12C oracle dul ORACLE PATCH Oracle Recovery Tools oracle加密恢复 oracle勒索 oracle勒索恢复 oracle异常恢复 ORACLE恢复 Oracle 恢复 ORACLE数据库恢复 oracle 比特币 OSD-04016 YOUR FILES ARE ENCRYPTED 比特币加密文章分类
- Others (2)
- 中间件 (2)
- WebLogic (2)
- 操作系统 (112)
- 数据库 (1,841)
- DB2 (22)
- MySQL (81)
- Oracle (1,669)
- Data Guard (53)
- EXADATA (8)
- GoldenGate (24)
- ORA-xxxxx (168)
- ORACLE 12C (72)
- ORACLE 18C (6)
- ORACLE 19C (15)
- ORACLE 21C (3)
- Oracle 23ai (8)
- Oracle ASM (69)
- Oracle Bug (8)
- Oracle RAC (55)
- Oracle 安全 (6)
- Oracle 开发 (28)
- Oracle 监听 (29)
- Oracle备份恢复 (632)
- Oracle安装升级 (103)
- Oracle性能优化 (62)
- 专题索引 (5)
- 勒索恢复 (89)
- PostgreSQL (37)
- pdu工具 (7)
- PostgreSQL恢复 (13)
- SQL Server (34)
- SQL Server恢复 (14)
- TimesTen (7)
- 达梦数据库 (4)
- 达梦恢复 (2)
- 生活娱乐 (2)
- 至理名言 (11)
- 虚拟化 (2)
- VMware (2)
- 软件开发 (47)
- Asp.Net (9)
- JavaScript (12)
- PHP (2)
- 小工具 (30)
-
最近发表
- aix环境rac 私网直连导致haip启动异常
- 又一例TRIM导致asm磁盘数据丢失的故障
- 一次运气好的ORA-600 kcratr_nab_less_than_odr故障处理
- OraFHR快速open被勒索加密破坏的Oracle数据库
- obet一键恢复offline数据文件
- 记录一次win删除数据文件完美恢复案例
- Oracle典型故障:The controlfile header block returned by the OS has a sequence number that is too old
- 国产信创库fio破坏主备库以及备份故障处理
- .wman扩展名勒索mysql数据库恢复
- Oracle数据库被勒索加密一键open工具–OraFHR
- 通过alert日志回顾其他dba oracle异常恢复故障处理以及后续open数据库操作
- 年前几例Oracle数据库被加密为.wman的数据库故障恢复
- 文件系统损坏导致数据库异常故障处理
- expdp导出xml列报ORA-22924故障处理
- obet处理ORA-704 ORA-604 ORA-1578故障
- obet修复csc higher than block scn类型坏块
- ORA-600 kcratr_nab_less_than_odr和ORA-600 4193故障处理
- aix环境10g由于控制器异常导致ORA-600 4000故障处理
- ORA-600 3716故障处理
- 不当恢复truncate数据导致数据库不能open处理
标签归档:授权给public
表dml操作权限授权给public,导致只读用户失效
最近一个客户和我反馈,他们创建了一个只读用户(之时给了create session和select表权限),但是其中有部分表可以执行dml操作,我登录系统进行确认
SQL> SELECT PRIVILEGE, ADMIN_OPTION 2 FROM DBA_SYS_PRIVS 3 WHERE GRANTEE = 'ALL_READONLY' 4 UNION 5 SELECT PRIVILEGE, ADMIN_OPTION 6 FROM ROLE_SYS_PRIVS 7 WHERE ROLE IN 8 (SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE = 'ALL_READONLY') 9 UNION 10 SELECT PRIVILEGE, ADMIN_OPTION 11 FROM ROLE_SYS_PRIVS 12 WHERE ROLE IN (SELECT GRANTED_ROLE 13 FROM ROLE_ROLE_PRIVS 14 WHERE ROLE IN (SELECT GRANTED_ROLE 15 FROM DBA_ROLE_PRIVS 16 WHERE GRANTEE = 'ALL_READONLY')); PRIVILEGE ADM ---------------------------------------- --- CREATE SESSION NO
尝试对一个表做dml操作,确实可以对u1.t1表进行dml操作
SQL> conn all_readonly/PASSWORD Connected. SQL> update U1.T1 set SNAME='111_test' where sid='www.xifenfei.com'; 1 row updated. SQL> rollback; Rollback complete.
查看这个表的相关授权,关于all_readonly(只读用户)的授权,也确实只是授权了查询权限
SQL> SELECT GRANTEE,PRIVILEGE,OWNER,TABLE_NAME FROM dba_TAB_PRIVS WHERE TABLE_NAME ='T1' and GRANTEE='ALL_READONLY' GRANTEE PRIVILEGE OWNER TABLE_NAME -------------------- ---------------------------------------- -------------------- -------------------- ALL_READONLY SELECT U1 T1
既然t1这个表可以被dml操作,那是这个表是否还有其他授权,进一步查询该表授权(不限于ALL_REAONLY用户)
SQL> SELECT GRANTEE,PRIVILEGE,OWNER,TABLE_NAME FROM dba_TAB_PRIVS WHERE TABLE_NAME ='T1'; GRANTEE PRIVILEGE OWNER TABLE_NAME -------------------- ---------------------------------------- -------------------- -------------------- PUBLIC ALTER U1 T1 PUBLIC DELETE U1 T1 PUBLIC INDEX U1 T1 PUBLIC INSERT U1 T1 PUBLIC SELECT U1 T1 PUBLIC UPDATE U1 T1 PUBLIC REFERENCES U1 T1 PUBLIC ON COMMIT REFRESH U1 T1 PUBLIC QUERY REWRITE U1 T1 PUBLIC DEBUG U1 T1 PUBLIC FLASHBACK U1 T1 ALL_READONLY SELECT U1 T1 14 rows selected.
这下明确了,由于授权了u1.t1表的(insert,delete,update等)权限给public,导致其他用户也可以对这些表进行授权给public的所有操作.
不管任何原因,都不建议授权表/对象的操作给public,这样会导致登录该数据库的所有用户都具有这个权限,风险不可控
