Tested as a user with some privs (but not DBA or SELECT ANY TABLE) as below
SQL> select username, user_id, password from sys.dba_users;
select username, user_id, password from sys.dba_users
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> select * from v$version
2 ;
BANNER
----------------------------------------------------------------
Oracle8i Enterprise Edition Release 8.1.6.3.0 - Production
PL/SQL Release 8.1.6.3.0 - Production
CORE 8.1.6.0.0 Production
TNS for Solaris: Version 8.1.6.3.0 - Production
NLSRTL Version 3.4.0.0.0 - Production
SQL>
Not sure if ANSI syntax is required (not testable in 8.1.6) and I don't have
a 9i DB to test it on.
Greg.
> ------------- Begin Forwarded Message -------------
> The point is that I can see the dba_users view owned by SYS as a user
> with only CREATE SESSION privilege. This is only possible because of the
> bug in the ANSI outer join syntax. This bug allows access to any table
> without any granted privileges to any user!
>
> The example you show below doesn't show which user you are logged in as
> or what privileges that user has. I assume its a user that is either a
> DBA or has select privileges on the catalog or SELECT ANY TABLE or
> select explicitly on that view.
>
> Try the exact SQL i showed and check for yourself that it doesn't work
> in 8.1.6. but will work in 9.0.1
>
> cheers
>
> Pete
>
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 11:16:43 PDT