授予创建任何触发器与授予创建触发器 [英] Grant create any trigger vs grant create trigger

问题描述

在Oracle中，您可以授予系统特权，例如

In Oracle you can grant system privileges like

GRANT CREATE TRIGGER TO MY_USER;

但是您也可以通过这种方式授予特权

But you can as well grant privileges this way

GRANT CREATE ANY TRIGGER TO MY_USER;

由于系统特权是系统范围的，因此上述2条语句之间的区别在哪里.额外的ANY-关键字是否授予系统以外的其他权限?如果我添加Grant ... ON SCHEMA ...，则不再具有系统特权，是吗?

As system privileges are system-wide, where is the difference between the 2 statements above. Does the additional ANY-keyword grant anything else more than system? If I add a Grant ... ON SCHEMA ... it's no system privilege anymore, is it?

假设是数据库中有多个模式/对象，这些模式/对象来自不同的用户，没有这些特权就无法访问.

Assumption is that there are multiple schemas/objects in the database from different users one cannot access without these privileges.

编辑:

SELECT *
FROM DBA_SYS_PRIVS
WHERE grantee = 'MY_USER';

返回

GRANTEE      PRIVILEGE                              
------------ -------------
MY_USER      CREATE ANY TRIGGER
MY_USER      CREATE TRIGGER

(我省略了ADMIN_OPTION和COMMON列)

并且使用MY_USER，MY_USER2或任何其他用户进行查询时，结果是相同的.我在这里看不到任何架构.而且也可能只有CREATE ANY TRIGGER -privilege.

And the result is the same when querying this with MY_USER, MY_USER2 or any other user. I see no connection to a schema here. And it is also possible to only have the CREATE ANY TRIGGER-privilege.

推荐答案

在大多数情况下，触发器所有者也是触发器所基于的表(或视图)的所有者.在这种情况下，具有CREATE TRIGGER的表所有者可以在自己的表上创建创建触发器.

In most cases, the trigger owner is also the owner of the table (or view) on which the trigger is based. In those cases, the table owner, with CREATE TRIGGER can create create triggers on their own table.

CREATE ANY TRIGGER允许用户在任何表上创建任何用户拥有的触发器.这是一个很大的安全漏洞，因为他们可以在自己拥有或可以插入的表上创建特权用户拥有的触发器.因为它们可以插入到该表中，所以可以强制执行触发器，并且触发器将使用触发器所有者的特权执行.这样的结果是，具有CREATE ANY TRIGGER特权的用户可以以特权用户的身份创建和执行代码(类似于具有CREATE ANY PROCEDURE加上EXECUTE ANY PROCEDURE).

CREATE ANY TRIGGER allows the user to create a trigger owned by any user on any table. It is a big security hole because they can create a trigger owned by a privileged user on a table that they own or can insert into. Because they can insert into that table, they can force the trigger to execute and the trigger executes with the privileges of the trigger owner. The effect is that a user with CREATE ANY TRIGGER privilege can create and execute code as a privileged user (similar to having CREATE ANY PROCEDURE plus EXECUTE ANY PROCEDURE).

尽可能减少人员，并进行适当的审核.

Limit to as few as people as possible and audit appropriately.

这篇关于授予创建任何触发器与授予创建触发器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！