在Oracle数据库中,创建了一个普通用户,且只给了连接和创建表的基本权限,那么除了这些之前,这个普通用户还能做什么?
环境准备
create user t21 identifie by oracle;
grant connect,resource to t21;
--检查目前t21的权限
SQL> select granted_role,ADMIN_OPTION from dba_role_privs where grantee='T21';
GRANTED_ROLE ADM
------------------------------ ---
CONNECT NO
SQL> select PRIVILEGE,ADMIN_OPTION from DBA_SYS_PRIVS where grantee='RESOURCE';
PRIVILEGE ADM
---------------------------------------- ---
CREATE TRIGGER NO
CREATE SEQUENCE NO
CREATE TYPE NO
CREATE PROCEDURE NO
CREATE CLUSTER NO
CREATE OPERATOR NO
CREATE INDEXTYPE NO
CREATE TABLE NO
8 rows selected.
SQL>
SQL> select PRIVILEGE,ADMIN_OPTION from DBA_SYS_PRIVS where grantee='CONNECT';
PRIVILEGE ADM
---------------------------------------- ---
CREATE SESSION NO
SQL>
如上所示,这是我们能统计出来的T21用户的权限,可以连接数据库,可以创建一些基本对象。通过查看可以发现,T21还可以访问all_所有视图,且有些可以查看很多东西。 这其中有个权限叫public
--dba用户
SQL> show user
USER is "MYTEST"
SQL> select count(*) from all_users;
COUNT(*)
----------
47
SQL> select count(*) from all_tables;
COUNT(*)
----------
3114
SQL> select count(*) from all_objects;
COUNT(*)
----------
90719
SQL>
--T21 普通用户
SQL> show user
USER is "T21"
SQL> select count(*) from all_users;
COUNT(*)
----------
47
SQL> select count(*) from all_tables;
COUNT(*)
----------
103
SQL> select count(*) from all_objects;
COUNT(*)
----------
73191
SQL>
通过上边我们能看到,T21可以查看的表比较少,但可以通过对象表看到很多。 这里Oracle有一个 public,它不是用户、也不是任何对象,类似所有数据库用户的一个集合。只要把某个角色或者对象赋给了public,所有用户都可以访问。例如创建dblink时。那么public有多少权限呢。
--总的权限
SQL> select count(*) from dba_tab_privs where GRANTEE='PUBLIC' ;
COUNT(*)
----------
37028
SQL>
--细分
SQL> select owner,PRIVILEGE,count(*) from dba_tab_privs where GRANTEE='PUBLIC' group by owner,privilege order by 1,2;
OWNER PRIVILEGE COUNT(*)
------------------------------ ---------------------------------------- ----------
APEX_030200 DELETE 3
APEX_030200 EXECUTE 66
APEX_030200 INSERT 1
APEX_030200 SELECT 116
APEX_030200 UPDATE 1
CTXSYS DELETE 8
CTXSYS EXECUTE 32
CTXSYS INSERT 11
CTXSYS SELECT 66
CTXSYS UPDATE 5
DBSNMP EXECUTE 1
EXFSYS EXECUTE 42
EXFSYS SELECT 41
MDSYS ALTER 1
MDSYS DELETE 39
MDSYS EXECUTE 963
MDSYS INSERT 42
MDSYS SELECT 142
MDSYS UPDATE 33
OLAPSYS DELETE 2
OLAPSYS EXECUTE 3
OLAPSYS INSERT 2
OLAPSYS SELECT 172
ORDDATA DELETE 1
ORDDATA SELECT 5
ORDPLUGINS EXECUTE 5
ORDSYS EXECUTE 2453
ORDSYS SELECT 5
SYS DELETE 14
SYS DEQUEUE 3
SYS EXECUTE 30998
SYS FLASHBACK 2
SYS INSERT 17
SYS SELECT 1408
SYS UPDATE 9
SYS USE 1
SYSTEM DELETE 6
SYSTEM INSERT 6
SYSTEM SELECT 8
SYSTEM UPDATE 6
WMSYS EXECUTE 27
WMSYS SELECT 88
XDB DELETE 6
XDB EXECUTE 134
XDB INSERT 6
XDB SELECT 23
XDB UPDATE 5
47 rows selected.
SQL>
通过上边可以看出,public大多是查看和执行权限, 所以即使一个普普通通的用户,也可以看到数据库中很多东西,大家在做数据库安全时,涉及用户的密码、权限更好细化。