在Oracle中,用户只需要视图上的权限就可以从中进行SELECT,更准确地说,是视图从表中看到的内容。表格上的特权不是必需的。
让我们考虑一下这种情况:
Table T belongs to A
A GRANT SELECT ON T to B (without GRANT OPTION)
B CREATE VIEW V AS SELECT * FROM A.T
B GRANT SELECT ON V TO C
C performing SELECT * FROM B.V
根据上面的规则,C将能够从V中选择,因此相当于从T中选择。这种作弊是什么? B实际上让C看到A.T虽然C在T上没有权利而B没有GRANT OPTION。某处有安全漏洞吗?
答案 0 :(得分:5)
您所描述的内容并不奏效。作为用户A:
create table t (id number);
Table T created.
grant select on t to b;
Grant succeeded.
作为用户B:
create view v as select * from a.t;
View V created.
grant select on v to c;
SQL Error: ORA-01720: grant option does not exist for 'A.T'
01720. 00000 - "grant option does not exist for '%s.%s'"
*Cause: A grant was being performed on a view or a view was being replaced
and the grant option was not present for an underlying object.
*Action: Obtain the grant option on all underlying objects of the view or
revoke existing grants on the view.
注意:
要将视图上的SELECT授予另一个用户,您必须拥有该视图下的所有对象,或者必须已在所有这些底层对象上授予SELECT对象特权WITH GRANT OPTION。即使被授权者已经对这些基础对象具有SELECT权限,也是如此。
即使grant any object privilege权限也没有绕过这个;虽然必须有一些(强大的)特权,因为完整的DBA 可以做grant select on b.v to c。