How would you protect this?

A procedure is created in the SYS schema to allow users to change the password as follows:
CREATE OR REPLACE
PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,
p_new_password VARCHAR2 DEFAULT NULL)
IS
v_sql_stmt VARCHAR2(500);
BEGIN
v_sql_stmt := ‘ALTER USER ‘||p_username ||’ IDENTIFIED BY ‘
|| p_new_password;
EXECUTE IMMEDIATE v_sql_stmt;
END change_password;
The SYS user has granted EXECUTE privilege on the procedure to the OE user. But OE is able
to change the password for SYS by using this procedure. How would you protect this?

A procedure is created in the SYS schema to allow users to change the password as follows:
CREATE OR REPLACE
PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,
p_new_password VARCHAR2 DEFAULT NULL)
IS
v_sql_stmt VARCHAR2(500);
BEGIN
v_sql_stmt := ‘ALTER USER ‘||p_username ||’ IDENTIFIED BY ‘
|| p_new_password;
EXECUTE IMMEDIATE v_sql_stmt;
END change_password;
The SYS user has granted EXECUTE privilege on the procedure to the OE user. But OE is able
to change the password for SYS by using this procedure. How would you protect this?

A.
by using the procedure as part of a PL/SQL package

B.
by using a bind argument with dynamic SQL in the procedure

C.
by using AUTHID DEFINER in the procedure to implement the definer’s right

D.
by using AUTHID CURRENT_USER in the procedure to implement the invoker’s right



Leave a Reply 1

Your email address will not be published. Required fields are marked *