OraFAQ Forum: SQL & PL/SQL » Unexpected Grants To Public

Home » SQL & PL/SQL » SQL & PL/SQL » Unexpected Grants To Public

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Unexpected Grants To Public [message #685447]

Wed, 12 January 2022 01:20

Gogetter
Messages: 39
Registered: December 2009
Location: Cologne Germany

Member

Hi all,

for audit reasons we are not allowed to grant rights to Public. Now for a few days there is always a right that is automatically granted.

SELECT *  FROM dba_tab_privs WHERE grantee = 'PUBLIC' AND owner = 'XXXXXXXXXX'

GRANTEE    OWNER      TABLE_NAME                     GRANTOR    PRIVILEGE                                GRA HIE COM TYPE                     INH
---------- ---------- ------------------------------ ---------- ---------------------------------------- --- --- --- ------------------------ ---
PUBLIC     XXXXXXXXXX ST00001VQR0xGSIqbgUwYKF6yqCA=  XXXXXXXXXX EXECUTE                                  NO  NO  NO  TYPE                     NO

Is there a way to find the procdure or package which causes the grant?

If I revoke the right, it will be granted again in the following days with another "Table" Name

thanks for your help
regards
Rudi

Report message to a moderator

Re: Unexpected Grants To Public [message #685449 is a reply to message #685447]

Wed, 12 January 2022 02:23

Frank
Messages: 7897
Registered: March 2000

Senior Member

I would start by querying dba_objects to see what object type those 'tables' are. That might shed some light on where these grants come from.
Also, it may help to know if your hidden username is an oracle internal account (MDSYS, XDB, etc) or an application schema.

Report message to a moderator

Re: Unexpected Grants To Public [message #685450 is a reply to message #685447]

Wed, 12 January 2022 02:39

Michel Cadot
Messages: 68417
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

Quote:

Is there a way to find the procdure or package which causes the grant?

No, it may be a command from a client tool or a program.

Your solution is to 1) activate the audit on GRANT (depends on your version you didn't post) and 2) create a DDL trigger on GRANT to forbid the action:

SQL> create or replace trigger trg_grant
  2  before grant on database
  3  disable
  4  declare
  5    name_list ora_name_list_t;
  6    n         binary_integer;
  7  begin
  8    n := ora_grantee (name_list);
  9    for i in 1..n loop
 10      if name_list(i) = 'PUBLIC' then
 11        raise_application_error(-20000, 'GRANT to PUBLIC is not allowed');
 12      end if;
 13    end loop;
 14  end;
 15  /

Trigger created.

SQL> alter trigger trg_grant enable;

Trigger altered.

SQL> grant select on t to scott;

Grant succeeded.

SQL>  grant select on t to public;
 grant select on t to public
                 *
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20000: GRANT to PUBLIC is not allowed
ORA-06512: at line 8

Report message to a moderator

Re: Unexpected Grants To Public [message #685451 is a reply to message #685449]

Wed, 12 January 2022 03:21

Gogetter
Messages: 39
Registered: December 2009
Location: Cologne Germany

Member

Thanks for your answers.

The current DB Version is Version 18.12.0.0.0.

Quote:

I would start by querying dba_objects to see what object type those 'tables' are. That might shed some light on where these grants come from.
Also, it may help to know if your hidden username is an oracle internal account (MDSYS, XDB, etc) or an application schema.

It's an application schema. It's the name of a client so i had to mask it. The object type is "TYPE".

Quote:

Your solution is to 1) activate the audit on GRANT (depends on your version you didn't post) and 2) create a DDL trigger on GRANT to forbid the action:

I thinks it's an internal process, which creates a temporary TYPE and grants it to public. This sometime happens by using plsql tables in stored procedures or packages - but I do not know the circumstances.
I'm going to try your solution out, that looks like a workable solution. Since we will be switching to an ADB in the coming weeks, there could be problems there. However, we could already successfully implement a logon trigger in the ADB.

Report message to a moderator

Previous Topic:	Oracle generate from-to DATE ranges and group by
Next Topic:	PL/SQL escaping variable with a single quote

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Mar 23 06:06:25 CDT 2023