The Oracle® Hacker's Handbook: Hacking and Defending Oracle

8.3. General Privileges

I've seen a number of servers that have granted PUBLIC the execute permission of DBMS_RLS, and several tutorials on virtual private databases that do the same. This is not a good idea. There are also other packages that should have the execute permission for PUBLIC, such as SYS.LTADM, which has a procedure called CREATERLSPOLICY that directly calls the DBMS_RLS.ADD_POLICY procedure. DBMS_FGA is clearly another. WK_ADM, owned by WKSYS, is executable by PUBLIC and allows limited modification of policies.

Lastly, if someone can grant themselves the EXEMPT ACCESS POLICY system privilege — for example, via a SQL injection flaw — then policies will not apply to them.

Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

The Oracle® Hacker's Handbook: Hacking and Defending Oracle by David Litchfield

8.3. General Privileges

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly