通过创建视图绕过 table 特权和 WITH GRANT OPTION
Bypass table privilege and WITH GRANT OPTION by creating views
在 Oracle 中,用户只需要对视图的权限就可以从中 SELECT,更准确地说,是从 table 中看到的视图。不需要 table 的权限。
让我们考虑一下这个场景:
Table T belongs to A
A GRANT SELECT ON T to B (without GRANT OPTION)
B CREATE VIEW V AS SELECT * FROM A.T
B GRANT SELECT ON V TO C
C performing SELECT * FROM B.V
根据上面的规则,C 可以从 V 得到 select,因此相当于从 T 得到 select。这是作弊吗? B 有效地让 C 看到 A.T 尽管 C 没有 T 的权利并且 B 没有 GRANT OPTION。某处是否存在安全漏洞?
您所描述的内容不成立。作为用户 A:
create table t (id number);
Table T created.
grant select on t to b;
Grant succeeded.
作为用户 B:
create view v as select * from a.t;
View V created.
grant select on v to c;
SQL Error: ORA-01720: grant option does not exist for 'A.T'
01720. 00000 - "grant option does not exist for '%s.%s'"
*Cause: A grant was being performed on a view or a view was being replaced
and the grant option was not present for an underlying object.
*Action: Obtain the grant option on all underlying objects of the view or
revoke existing grants on the view.
这里提到in the documetation:
Note:
To grant SELECT on a view to another user, either you must own all of the objects underlying the view or you must have been granted the SELECT object privilege WITH GRANT OPTION on all of those underlying objects. This is true even if the grantee already has SELECT privileges on those underlying objects.
即使是 grant any object privilege 权限也不能绕过这个;尽管必须有一些(强大的)特权作为一个完整的 DBA 可以 做 grant select on b.v to c.
在 Oracle 中,用户只需要对视图的权限就可以从中 SELECT,更准确地说,是从 table 中看到的视图。不需要 table 的权限。
让我们考虑一下这个场景:
Table T belongs to A
A GRANT SELECT ON T to B (without GRANT OPTION)
B CREATE VIEW V AS SELECT * FROM A.T
B GRANT SELECT ON V TO C
C performing SELECT * FROM B.V
根据上面的规则,C 可以从 V 得到 select,因此相当于从 T 得到 select。这是作弊吗? B 有效地让 C 看到 A.T 尽管 C 没有 T 的权利并且 B 没有 GRANT OPTION。某处是否存在安全漏洞?
您所描述的内容不成立。作为用户 A:
create table t (id number);
Table T created.
grant select on t to b;
Grant succeeded.
作为用户 B:
create view v as select * from a.t;
View V created.
grant select on v to c;
SQL Error: ORA-01720: grant option does not exist for 'A.T'
01720. 00000 - "grant option does not exist for '%s.%s'"
*Cause: A grant was being performed on a view or a view was being replaced
and the grant option was not present for an underlying object.
*Action: Obtain the grant option on all underlying objects of the view or
revoke existing grants on the view.
这里提到in the documetation:
Note:
To grant SELECT on a view to another user, either you must own all of the objects underlying the view or you must have been granted the SELECT object privilege WITH GRANT OPTION on all of those underlying objects. This is true even if the grantee already has SELECT privileges on those underlying objects.
即使是 grant any object privilege 权限也不能绕过这个;尽管必须有一些(强大的)特权作为一个完整的 DBA 可以 做 grant select on b.v to c.