A procedure is created in the SYS schema to allow users to change the password as follows:
CREATE OR REPLACE
PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,
p_new_password VARCHAR2 DEFAULT NULL)
IS
v_sql_stmt VARCHAR2(500);
BEGIN
v_sql_stmt := ‘ALTER USER ‘||p_username ||’ IDENTIFIED BY ‘
|| p_new_password;
EXECUTE IMMEDIATE v_sql_stmt;
END change_password;
The SYS user has granted EXECUTE privilege on the procedure to the OE user. But OE is able
to change the password for SYS by using this procedure. How would you protect this?
A.
by using the procedure as part of a PL/SQL package
B.
by using a bind argument with dynamic SQL in the procedure
C.
by using AUTHID DEFINER in the procedure to implement the definer’s right
D.
by using AUTHID CURRENT_USER in the procedure to implement the invoker’s right
Is D really correct ?
By description – Administrator created procedure to let ‘users to change the password’. There isn’t any information ‘their password’ but password in general.
So defining procedure as ‘AUTHID CURRENT_USER’ denies ex. user to change password for SCOTT, and because of that it changes how function works!
Furthermore if this procedure IS designed for user change only it’s own password and ‘
AUTHID CURRENT_USER’ is correct answer, then why user parameter ‘p_username’ and not use ‘USER’ function ex.
‘ALTER USER ‘|| USER ||’ IDENTIFIED BY ‘ || p_new_password
This would be the best solution.
D