6 Replies Latest reply: May 9, 2014 9:32 AM by Paul M. RSS

    Able to create objects to another schema without necessary privileges

    user12025210

      Hi,

       

      I have installed Oracle Database Express Edition 11.2.0.2.
      I have created a custom user/schema for some testing called CAR. It has a connect and dba roles.
      Connected as CAR I tried to create a function (through Toad), the schema was not explicitely specified in create function statement, strangely the function got created in SYS schema!

       

      Then I tried a new test case:
      I created a new user TEST with roles connect and resource.
      With this user the symptom was the same. When create function statement was not explicitly specifying schema, the function was created in SYS schema.
      Moreover, still connected as TEST I tried to explicitly specify schema CAR in create function statement, and the function got crated in schema CAR.
      Although with only resource role TEST user did not have sufficient privileges to create objects in other schemas.
      No errors.

       

      Usually I use "real" databases , not express editiion, so I am not sure is this normal behaviour because of some express edition limitations and restrictions, or is it a very nasty security bug?

       

      Thanks,

      krt