为账号赋IMP_FULL_DATABASE安全么
--检查版本
SQL> SELECT * FROM V$VERSION;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
PL/SQL Release 11.1.0.7.0 - Production
CORE 11.1.0.7.0 Production
TNS for Linux: Version 11.1.0.7.0 - Production
NLSRTL Version 11.1.0.7.0 - Production
--当前用户及权限
SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE DEFAULT_TABLESPACE TEMPORARY_TABLESPACE CREATED INITIAL_RSRC_CONSUMER_GROUP EXTERNAL_NAME
------------------------------ ---------- -------------------------------- ----------- ----------- ------------------------------ ------------------------------ ----------- ------------------------------ --------------------------------------------------------------------------------
DB_MONITOR 38 OPEN TBS_SUPPORT TBS_SUPPORT_TEMP 2013/09/09 DEFAULT_CONSUMER_GROUP
SQL> SELECT * FROM USER_ROLE_PRIVS;
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
------------------------------ ------------------------------ ------------ ------------ ----------
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADMIN_OPTION
------------------------------ ---------------------------------------- ------------
DB_MONITOR ADMINISTER DATABASE TRIGGER NO
DB_MONITOR SELECT ANY DICTIONARY NO
DB_MONITOR CREATE TABLE NO
DB_MONITOR CREATE JOB NO
DB_MONITOR CREATE PROCEDURE NO
DB_MONITOR SELECT ANY TABLE NO
DB_MONITOR MANAGE SCHEDULER NO
DB_MONITOR UNLIMITED TABLESPACE NO
DB_MONITOR CREATE SESSION NO
DB_MONITOR CREATE TRIGGER NO
10 rows selected
--用另一用户登录,并建立两张测试表
SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE DEFAULT_TABLESPACE TEMPORARY_TABLESPACE CREATED INITIAL_RSRC_CONSUMER_GROUP EXTERNAL_NAME
------------------------------ ---------- -------------------------------- ----------- ----------- ------------------------------ ------------------------------ ----------- ------------------------------ --------------------------------------------------------------------------------
MREAD 31 OPEN TBS_MREAD_DAT
SQL> create table test123 ( num number);
Table created
--用db_monitor用户测试是否能够修改表
SQL> insert into mread.test123 values (1);
insert into mread.test123 values (1)
ORA-01031: 权限不足
SQL> drop table mread.test123;
drop table mread.test123
ORA-01031: 权限不足
--用sys用户为db_monitor用户赋权
SQL> grant IMP_FULL_DATABASE to db_monitor;
Grant succeeded.
--再使用db_monitor用户测试
SQL> insert into mread.test123 values (1);
1 row inserted
SQL> commit;
Commit complete
SQL> select * from mread.test123;
NUM
----------
1
SQL> delete mread.test123;
1 row deleted
SQL> drop table mread.test123;
Table droped.
--回收IMP权限,赋EXP权限
SQL> revoke IMP_FULL_DATABASE from db_monitor;
Revoke succeeded.
SQL>
SQL> grant EXP_FULL_DATABASE to db_monitor;
Grant succeeded.
SQL> insert into mread.test123 values (1);
insert into mread.test123 values (1)
ORA-01031: 权限不足
SQL> drop table mread.test123;
drop table mread.test123
ORA-01031: 权限不足
结论:IMP_FULL_DATABASE包含了数据库所有对象的读写权限,在多用户环境下需要谨慎授权
--检查版本
SQL> SELECT * FROM V$VERSION;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
PL/SQL Release 11.1.0.7.0 - Production
CORE 11.1.0.7.0 Production
TNS for Linux: Version 11.1.0.7.0 - Production
NLSRTL Version 11.1.0.7.0 - Production
--当前用户及权限
SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE DEFAULT_TABLESPACE TEMPORARY_TABLESPACE CREATED INITIAL_RSRC_CONSUMER_GROUP EXTERNAL_NAME
------------------------------ ---------- -------------------------------- ----------- ----------- ------------------------------ ------------------------------ ----------- ------------------------------ --------------------------------------------------------------------------------
DB_MONITOR 38 OPEN TBS_SUPPORT TBS_SUPPORT_TEMP 2013/09/09 DEFAULT_CONSUMER_GROUP
SQL> SELECT * FROM USER_ROLE_PRIVS;
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
------------------------------ ------------------------------ ------------ ------------ ----------
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADMIN_OPTION
------------------------------ ---------------------------------------- ------------
DB_MONITOR ADMINISTER DATABASE TRIGGER NO
DB_MONITOR SELECT ANY DICTIONARY NO
DB_MONITOR CREATE TABLE NO
DB_MONITOR CREATE JOB NO
DB_MONITOR CREATE PROCEDURE NO
DB_MONITOR SELECT ANY TABLE NO
DB_MONITOR MANAGE SCHEDULER NO
DB_MONITOR UNLIMITED TABLESPACE NO
DB_MONITOR CREATE SESSION NO
DB_MONITOR CREATE TRIGGER NO
10 rows selected
--用另一用户登录,并建立两张测试表
SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE DEFAULT_TABLESPACE TEMPORARY_TABLESPACE CREATED INITIAL_RSRC_CONSUMER_GROUP EXTERNAL_NAME
------------------------------ ---------- -------------------------------- ----------- ----------- ------------------------------ ------------------------------ ----------- ------------------------------ --------------------------------------------------------------------------------
MREAD 31 OPEN TBS_MREAD_DAT
SQL> create table test123 ( num number);
Table created
--用db_monitor用户测试是否能够修改表
SQL> insert into mread.test123 values (1);
insert into mread.test123 values (1)
ORA-01031: 权限不足
SQL> drop table mread.test123;
drop table mread.test123
ORA-01031: 权限不足
--用sys用户为db_monitor用户赋权
SQL> grant IMP_FULL_DATABASE to db_monitor;
Grant succeeded.
--再使用db_monitor用户测试
SQL> insert into mread.test123 values (1);
1 row inserted
SQL> commit;
Commit complete
SQL> select * from mread.test123;
NUM
----------
1
SQL> delete mread.test123;
1 row deleted
SQL> drop table mread.test123;
Table droped.
--回收IMP权限,赋EXP权限
SQL> revoke IMP_FULL_DATABASE from db_monitor;
Revoke succeeded.
SQL>
SQL> grant EXP_FULL_DATABASE to db_monitor;
Grant succeeded.
SQL> insert into mread.test123 values (1);
insert into mread.test123 values (1)
ORA-01031: 权限不足
SQL> drop table mread.test123;
drop table mread.test123
ORA-01031: 权限不足
结论:IMP_FULL_DATABASE包含了数据库所有对象的读写权限,在多用户环境下需要谨慎授权
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/692830/viewspace-1218290/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/692830/viewspace-1218290/