Document Type | Technical Information
Field | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI020
Overview
| Category | Check Item | Importance | Code |
|---|---|---|---|
| Option Management | Adjust so that the Role of application or DBA accounts is not set to Public | High | D-08 |
| Set OS ROLES, REMOTE_OS_AUTHENTICATION, REMOTE_OS_ROLES to FALSE | High | D-09 | |
| Password verification function configured and applied | Medium | D-19 | |
| Restriction on unauthorized Object Owner | Low | D-20 | |
| Restriction on Unauthorized Use of GRANT OPTION | Medium | D-21 | |
| Set database resource limitation feature to TRUE | Low | D-22 |
This document describes the security vulnerability mitigation measures for the "Option Management - Restriction on Unauthorized Use of GRANT OPTION (D-21)" item.
Check Contents and Purpose
- Check whether the Grant Option is granted to general users by Role.
- If the Grant Option is not granted by Role to general users, revoke the privilege.
Check Judgment Criteria
| Criteria | Content |
|---|---|
| Good | WITH_GRANT_OPTION is set by ROLE |
| Vulnerable | WITH_GRANT_OPTION is not set by ROLE |
Precautions Before Action
Check Basic Account List
The basic accounts created during Tibero installation are as follows. Additional or removed accounts may exist depending on the DB version.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted DBA privileges required |
| SYSCAT | syscat | Account cannot be deleted |
| SYSGIS | sysgis | Account cannot be deleted |
| OUTLN | outln | Account cannot be deleted |
| TIBERO | tmax | Account can be deleted |
| TIBERO1 | tmax | Account can be deleted Does not exist from T7 version onwards |
| SYSBACKUP | tibero | Account cannot be deleted Exists in some T6FS07 versions (patch 301647 available) and from T7 version onwards |
| LBACSYS | lbacsys | Account cannot be deleted Exists from T7 version onwards |
Check Connected Systems
It is necessary to verify the DB accounts used in connected systems beforehand.
Method
Configuration
- Check whether WITH_GRANT_OPTION is granted before work
select grantee || ':' || owner || '.' || table_name
from dba_tab_privs
where grantable='YES'
and owner not in ('SYS', 'MDSYS', 'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WMSYS', 'SDB',
'LBACSYS', 'ANONYMOUS', 'APEX_050100', 'APEX_PUBLIC_USER', 'APPQOSSYS',
'AUDSYS', 'CTXSYS', 'DBSFWUSER', 'DBSNMP', 'DIP', 'DVSYS', 'DVF',
'FLOWS_FILES', 'GGSYS', 'GSMADMIN_INTERNAL', 'GSMCATUSER', 'GSMUSER',
'MDDATA', 'OUTLN', 'ORACLE_OCM', 'REMOTE_SCHEDULER_AGENT', 'SYSBACKUP',
'SYSKM', 'SYSDG', 'SYSRAC', 'SYS$UMF', 'XDB', 'XS$NULL')
and grantee not in (select grantee from dba_role_privs where granted_role='DBA')
order by grantee;
grantee || ':' || owner || '.' || table_name
----------------------------------------
TEST_GRANTEE:TEST_OWNER.SAMPLE_TABLE
1 row selected.Reference
If the result "LBACSYS:SYSCAT.DBA_ROLE_PRIVS" appears during the query, patch 285784 needs to be applied.
Please apply the patch through technical support provided by Tmax Tibero.
- Temporary workaround
-- 1. Revoke with grant option privilege revoke select on dba_role_privs from lbacsys; -- 2. Re-grant select privilege only grant select on dba_role_privs to lbacsys;
- Revoke Privileges
-- 1. Fully revoke granted privileges (including propagation privileges) REVOKE [PRIVILEGE] ON [OWNER].[TABLE_NAME] FROM [USERNAME]; ex) REVOKE SELECT ON TEST_OWNER.SAMPLE_TABLE FROM TEST_GRANTEE; -- 2. If necessary, grant general privileges again (excluding WITH GRANT OPTION) GRANT [PRIVILEGE] ON [OWNER].[TABLE_NAME] TO [USERNAME]; ex) GRANT SELECT ON TEST_OWNER.SAMPLE_TABLE TO TEST_GRANTEE;
- Check whether WITH_GRANT_OPTION is granted after work
set pages 999
set lines 400
col grantee for a20
col owner for a20
col table_name for a30
col grantor for a20
col privilege for a20
col grantable for a30
select * from dba_tbl_privs where GRANTEE not in ('PUBLIC','SYS','SYSCAT','SYSGIS','OUTLN','SYSBACKUP','LBACSYS','HS_ADMIN_ROLE','SELECT_CATALOG_ROLE');
0 row selected.
Restore
- Grant WITH_GRANT_OPTION privilege
GRANT [PRIVILEGE] ON [OWNER].[TABLE_NAME] TO [USERNAME] WITH GRANT OPTION; ex) GRANT SELECT ON TEST_OWNER.SAMPLE_TABLE TO TEST_GRANTEE WITH GRANT OPTION;