{"id":3616,"date":"2014-11-26T18:18:29","date_gmt":"2014-11-26T17:18:29","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/"},"modified":"2014-11-26T18:18:29","modified_gmt":"2014-11-26T17:18:29","slug":"12c-privilege-analysis-rocks","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/","title":{"rendered":"Oracle 12c privilege analysis rocks"},"content":{"rendered":"

By Franck Pachot<\/h2>\n

.
\n12c came with a very nice feature: privilege analysis. You don’t know which privileges are required? then just grant DBA, run your application, and check which minimal privileges are needed. And today, I’ve discovered how it is very powerful: you can even see privileges used internally, even when not done by SQL, and even not documented.<\/p>\n

It starts like that, with a question from Vladimir Sitnikov (who publishes very interesting stuff from his twitter account) in the tone of a challenge:<\/p>\n

@FranckPachot<\/a> Ok, ace. Do you think dbms_utility.get_parameter_value requires special grants (e.g. in current 11gR2)?<\/p>\n

\u2014 Vladimir Sitnikov (@VladimirSitnikv) November 26, 2014<\/a><\/p><\/blockquote>\n

So I got to the doc<\/a>\u00a0which has a special security model for some functions but nothing about get_parameter_value.<\/p>\n

Then I created a simple user with only CREATE SESSION privilege and got:<\/p>\n

SQL> drop user TEST;\nUser dropped.\nSQL> grant create session to TEST identified by TEST;\nGrant succeeded.\nSQL> connect TEST\/TEST\nConnected.\nSQL> variable i number\nSQL> variable s varchar2(1000)\nSQL> variable t number\nSQL> exec :t:=DBMS_UTILITY.GET_PARAMETER_VALUE('NLS_LENGTH_SEMANTICS',:i,:s);\nBEGIN :t:=DBMS_UTILITY.GET_PARAMETER_VALUE('NLS_LENGTH_SEMANTICS',:i,:s); END;\n*\nERROR at line 1:\nORA-01031: insufficient privileges\nORA-06512: at \"SYS.DBMS_UTILITY\", line 140\nORA-06512: at line 1\n\n<\/pre>\n
So, which privileges do you need? Let’s try the 12c privilege analysis:<\/p>\n
SQL> grant dba to TEST;\nGrant succeeded.\n\nSQL> connect \/ as sysdba\nConnected.\n\nSQL> exec dbms_privilege_capture.create_capture (name=>'demo',type =>dbms_privilege_capture.g_role,roles=>role_name_list('DBA'));\nPL\/SQL procedure successfully completed.\n\nSQL> exec dbms_privilege_capture.enable_capture (name=>'demo');\nPL\/SQL procedure successfully completed.\n\nSQL> connect TEST\/TEST\nConnected.\n\nSQL> exec :t:=dbms_utility.get_parameter_value('NLS_LENGTH_SEMANTICS',:i,:s);\nPL\/SQL procedure successfully completed.\n\nSQL> print s\n\nS\n--------------------------------------------------------------\nBYTE\n\nSQL> connect \/ as sysdba\nConnected.\n\nSQL> exec dbms_privilege_capture.disable_capture(name=>'demo');\nPL\/SQL procedure successfully completed.\n\nSQL> exec dbms_privilege_capture.generate_result(name=>'demo');\nPL\/SQL procedure successfully completed.\n\nSQL> select object_owner,object_name,obj_priv from dba_used_objprivs ;\n\nOBJECT_OWN OBJECT_NAME     OBJ_PRIV\n---------- --------------- ----------\nSYS        V_$PARAMETER    SELECT\n\nSQL> select path from dba_used_objprivs_path ;\n\nPATH\n--------------------------------------------------------------\nGRANT_PATH('TEST', 'DBA', 'EXP_FULL_DATABASE', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'EM_EXPRESS_ALL', 'EM_EXPRESS_BASIC', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'DATAPUMP_EXP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'IMP_FULL_DATABASE', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'DATAPUMP_IMP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'SELECT_CATALOG_ROLE')\nGRANT_PATH('TEST', 'DBA', 'SELECT_CATALOG_ROLE')\n\nSQL> exec dbms_privilege_capture.drop_capture (name=>'demo');\nPL\/SQL procedure successfully completed.\n\n<\/pre>\n
I’ve granted the DBA privilege and have run the privilege analysis capture on that role while calling the function. And bingo: you need to be granted SELECT on V_$PARAMETER (which come into DBA role through the SELECT_CATALOG_ROLE) … which sounds legitimate as the goal is to get a parameter value.<\/p>\n
But do you know what? DBMS_UTILITY.GET_PARAMETER_VALUE do not execute any select statement. That behavior is documented in that package for other function, but not for the GET_PARAMETER_VALUE one:<\/p>\n
Rem The dbms_utility package is run-as-caller (psdicd.c) only for\nRem its name_resolve, compile_schema, analyze_schema, wait_on_pending_dml,\nRem and expand_sql_text procedures. This package is not run-as-caller\nRem w.r.t. SQL (psdpgi.c) so that the SQL works correctly (runs as\nRem SYS). The privileges are checked via dbms_ddl.<\/pre>\n
 <\/p>\n
That function calls a C function (KSPGPNICD) so we don’t know what happens behind. If you sql_trace it, you don’t see anything about V_$PARAMETER.<\/p>\n
But privilege analysis show the required privileges anyway, and that rocks.<\/p>\n","protected":false},"excerpt":{"rendered":"
By Franck Pachot . 12c came with a very nice feature: privilege analysis. You don’t know which privileges are required? then just grant DBA, run your application, and check which minimal privileges are needed. And today, I’ve discovered how it is very powerful: you can even see privileges used internally, even when not done by […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[198,59],"tags":[96,209],"type_dbi":[],"class_list":["post-3616","post","type-post","status-publish","format-standard","hentry","category-database-management","category-oracle","tag-oracle","tag-oracle-12c"],"acf":[],"yoast_head":"\nOracle 12c privilege analysis rocks - dbi Blog<\/title>\n<meta name=\"description\" content=\"Using privilege analysis to know the security model of dbms_utility\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Oracle 12c privilege analysis rocks\" \/>\n<meta property=\"og:description\" content=\"Using privilege analysis to know the security model of dbms_utility\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-11-26T17:18:29+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Oracle 12c privilege analysis rocks\",\"datePublished\":\"2014-11-26T17:18:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/\"},\"wordCount\":288,\"commentCount\":1,\"keywords\":[\"Oracle\",\"Oracle 12c\"],\"articleSection\":[\"Database management\",\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/\",\"name\":\"Oracle 12c privilege analysis rocks - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\"},\"datePublished\":\"2014-11-26T17:18:29+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\"},\"description\":\"Using privilege analysis to know the security model of dbms_utility\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/12c-privilege-analysis-rocks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Oracle 12c privilege analysis rocks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/author\\\/oracle-team\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Oracle 12c privilege analysis rocks - dbi Blog","description":"Using privilege analysis to know the security model of dbms_utility","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/","og_locale":"en_US","og_type":"article","og_title":"Oracle 12c privilege analysis rocks","og_description":"Using privilege analysis to know the security model of dbms_utility","og_url":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/","og_site_name":"dbi Blog","article_published_time":"2014-11-26T17:18:29+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Oracle 12c privilege analysis rocks","datePublished":"2014-11-26T17:18:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/"},"wordCount":288,"commentCount":1,"keywords":["Oracle","Oracle 12c"],"articleSection":["Database management","Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/","url":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/","name":"Oracle 12c privilege analysis rocks - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2014-11-26T17:18:29+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"description":"Using privilege analysis to know the security model of dbms_utility","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/12c-privilege-analysis-rocks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Oracle 12c privilege analysis rocks"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=3616"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3616\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=3616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=3616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=3616"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=3616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}