Why Oracle Query Fails with Invoker Rights

oracle

I connect to oracle as sysdba and run this

but why is it failing when called with invoker rights? That is the p_user call.

Here is the code:

alter session set current_schema=x;
CREATE or replace package p_definer as
    procedure d(name_ varchar2);
end;
/
CREATE or replace package p_user authid current_user as
    procedure d(name_ varchar2);
end;
/
CREATE or replace package body p_definer as
    procedure d(name_ varchar2) as
    begin
        execute immediate 'drop procedure '||name_;
    end;
end;
/
CREATE or replace package body p_user as
    procedure d(name_ varchar2) as
    begin
        execute immediate 'drop procedure '||name_;
    end;
end;
/
create or replace procedure f_foo as
BEGIN
    dbms_output.put_line('hello world');
END;
/

And here are the calls

SQL> call p_user.d('f_foo');
call p_user.d('f_foo')
     *
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-06512: at "G_GS.P_USER", line 2

Why doesn't that work?

SQL>
SQL> call p_definer.d('f_foo');

Call completed.

Best Answer

Because this is a new 12c security feature.

User x creates a harmless package and everyone starts using it, even users with higher privileges, like SYS.

Now user x knows that SYS uses this package regularly, so user x could replace the contents of this package with some malicious code any time and do anything in the database, knowing the code will be ran by SYS sooner or later.

12c prevents this with this new feature:

INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES Privileges

But if SYS trusts x, the following can be done:

grant inherit privileges on user sys to x;

This will allow x to inherit the privileges of SYS when running code like the above.

Related Solutions

Database – Definer and Invoker Rights in Oracle and MySQL

Let's take a simple example:

You have this procedure using "definer rights" - which is the default in Oracle.

CREATE PROCEDURE DEL_EMP AS
BEGIN
   DELETE FROM EMP;
END;

Another user who calls this procedure only needs EXECUTE privilege for this procedure, it is not required that such user has DELETE privilege on table EMP.

Procedure runs under permission of the procedure owner (or user who defined it, thus it is called "definer" rights).

"Inovker Rights" is the opposite. A user who likes to runs this procedure successfully must have EXECUTE privilege for this procedure and DELETE privilege for table EMP.

There are some more points regarding definer and invoker rights but for a general understanding this should be enough.

Convert string to number from xml at server side

cast relies on your session's NLS settings to convert between datatypes.

You should use to_number with an explicit number format model, something like:

SELECT to_number(nvl(trim(replace(xmltype(t.sce_msg).extract('//RoofInsulationCSV/Total/text()', 'xmlns="http://INT010.GPA.Schemas.External.GPA_AllFile').getstringval(),'.',',')),0), '999999999,99')
FROM        ta_main.serv_cons_event t
INNER JOIN  ta_main.event e
      ON    t.sce_evt_id_s = e.evt_id_s
WHERE       e.evt_typ_id_c IN ('INV', 'ACC');

You'll have to play around with the format model to fit your expected data.

Best Answer

Related Solutions

Database – Definer and Invoker Rights in Oracle and MySQL

Convert string to number from xml at server side

Related Question