oracle 授予创建任何触发器与授予创建触发器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49256959/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Grant create any trigger vs grant create trigger
提问by Chr?z says reinstate Monica
In Oracle you can grant system privileges like
在 Oracle 中,您可以授予系统权限,例如
GRANT CREATE TRIGGER TO MY_USER;
But you can as well grant privileges this way
但是您也可以通过这种方式授予权限
GRANT CREATE ANY TRIGGER TO MY_USER;
As system privileges are system-wide, where is the difference between the 2 statements above. Does the additional ANY-keyword grant anything else more than system? If I add a Grant ... ON SCHEMA ...it's no system privilege anymore, is it?
由于系统权限是系统范围的,因此上面 2 个语句之间的区别在哪里。除了ANYsystem之外,附加的-keyword是否授予其他任何东西?如果我添加Grant ... ON SCHEMA ...它就不再是系统权限了,是吗?
Assumption is that there are multiple schemas/objects in the database from different users one cannot access without these privileges.
假设数据库中有来自不同用户的多个模式/对象,没有这些权限就无法访问。
EDIT:
编辑:
SELECT *
FROM DBA_SYS_PRIVS
WHERE grantee = 'MY_USER';
returns
回报
GRANTEE PRIVILEGE
------------ -------------
MY_USER CREATE ANY TRIGGER
MY_USER CREATE TRIGGER
(I omitted the columns ADMIN_OPTIONand COMMON)
(我省略了列ADMIN_OPTION和COMMON)
And the result is the same when querying this with MY_USER, MY_USER2 or any other user. I see no connection to a schema here. And it is also possible to only have the CREATE ANY TRIGGER-privilege.
当使用 MY_USER、MY_USER2 或任何其他用户查询时,结果是相同的。我在这里看不到与模式的联系。并且也可以只拥有CREATE ANY TRIGGER-privilege。
回答by Gary Myers
In most cases, the trigger owner is also the owner of the table (or view) on which the trigger is based. In those cases, the table owner, with CREATE TRIGGER can create create triggers on their own table.
在大多数情况下,触发器所有者也是触发器所基于的表(或视图)的所有者。在这些情况下,表所有者可以使用 CREATE TRIGGER 在他们自己的表上创建创建触发器。
CREATE ANY TRIGGER allows the user to create a trigger owned by any user on any table. It is a big security hole because they can create a trigger owned by a privileged user on a table that they own or can insert into. Because they can insert into that table, they can force the trigger to execute and the trigger executes with the privileges of the trigger owner. The effect is that a user with CREATE ANY TRIGGER privilege can create and execute code as a privileged user (similar to having CREATE ANY PROCEDURE plus EXECUTE ANY PROCEDURE).
CREATE ANY TRIGGER 允许用户在任何表上创建由任何用户拥有的触发器。这是一个很大的安全漏洞,因为他们可以在他们拥有或可以插入的表上创建由特权用户拥有的触发器。因为他们可以插入到该表中,所以他们可以强制执行触发器,并且触发器以触发器所有者的权限执行。结果是具有 CREATE ANY TRIGGER 特权的用户可以作为特权用户创建和执行代码(类似于具有 CREATE ANY PROCEDURE 加 EXECUTE ANY PROCEDURE)。
Limit to as few as people as possible and audit appropriately.
将人数限制在尽可能少的范围内,并进行适当的审核。
回答by Ivo Breeden
The first statements grants the right to create triggers in the schema of MY_USER. The owner will always by MY_USER.
第一条语句授予在 MY_USER 模式中创建触发器的权限。所有者将始终由 MY_USER 提供。
The second statements grants the right to create triggers in ANY schema. The owner of the trigger can then be any user.
第二个语句授予在 ANY 模式中创建触发器的权限。触发器的所有者可以是任何用户。
The last option is usually not wanted because it gives user MY_USERS the possibility to corrupt the data model.
通常不需要最后一个选项,因为它使用户 MY_USERS 有可能破坏数据模型。
