Thanks to visit codestin.com
Credit goes to github.com

Skip to content

check_sys_grants - missing role_sys_privs #1050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pajusin opened this issue Mar 5, 2020 · 2 comments · Fixed by #1056
Closed

check_sys_grants - missing role_sys_privs #1050

pajusin opened this issue Mar 5, 2020 · 2 comments · Fixed by #1056
Assignees
@jgebal
Labels
bug
Milestone
v3.1.11

Comments

@pajusin
Copy link

pajusin commented Mar 5, 2020

Script check_sys_grants checks only user_sys_privs. Problem is that on some oracle configurations sys privs can be also configured via roles (view ROLE_SYS_PRIVS).

Original code for getting sys privileges (from user_sys_privs)
minus (select privilege from user_sys_privs union all select replace(privilege,' ANY ') privilege from user_sys_privs)

My proposal is to union also view ROLE_SYS_PRIVS, because on my configuration there are some privileges which are provided via role.

minus (select privilege from user_sys_privs union all select replace(privilege,' ANY ') privilege from user_sys_privs union all select privilege from role_sys_privs )

Source views for SYS privileges:

  • user level
    select PRIVILEGE from user_sys_privs
  • role level
    select PRIVILEGE from role_sys_privs

l_version=12.2.0.1.0
l_compatibility=12.2.0
@pajusin
Copy link
Author

pajusin commented Mar 9, 2020

Update patch proposal including ANY prvilege removal:

 source/check_sys_grants.sql | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/source/check_sys_grants.sql b/source/check_sys_grants.sql
index 7b164495..4e3da8ca 100644
--- a/source/check_sys_grants.sql
+++ b/source/check_sys_grants.sql
@@ -22,7 +22,14 @@ begin
     from user_sys_privs
     union all
     select replace(privilege,' ANY') privilege
-    from user_sys_privs)
+    from user_sys_privs
+    union all
+    select privilege
+    from role_sys_privs
+    union all
+    select replace(privilege,' ANY') privilege
+    from role_sys_privs
+    )
   );
   if l_missing_grants is not null then
     raise_application_error(

@jgebal
Copy link
Member

jgebal commented Mar 10, 2020

Thank you for reporting this @pajusin

It's actually great improvement and I've learned something new about data-dictionary.

The query that we will be using will be also checking if role is active in session.

The view role_sys_privs shows roles that are inactive and can be inaccurate in that way.
We will join with session_roles to look at only the active roles before performing the install.

@jgebal jgebal self-assigned this Mar 12, 2020
@jgebal jgebal added the bug label Mar 12, 2020
@jgebal jgebal added this to the 3.1.11 milestone Mar 12, 2020
jgebal added a commit that referenced this issue Mar 12, 2020
@jgebal
Added check for sys grants added via role when installing utPLSQL fra…
4979cf9 
…mework.

Resolves #1050
@jgebal jgebal mentioned this issue Mar 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgebal jgebal

Labels
bug
Projects
None yet
Milestone
v3.1.11
Development

Successfully merging a pull request may close this issue.

Improvements to privilege handling in utPLSQL utPLSQL/utPLSQL
2 participants
@jgebal @pajusin