No question at this time
DBA Top 10
1 M. Cadot 11600
2 B. Vroman 6400
3 A. Kavsek 6000
4 P. Wisse 3400
5 J. Schnackenberg 3200
6 J. Péran 1800
7 T. Boles 600
8 Z. Hudec 400
8 G. Lambregts 400
8 N. Havard 400
8 F. Pachot 400
8 D. Dave 400
About
DBA-Village
The DBA-Village forum
Forum as RSS
as RSS feed
Site Statistics
Ever registered users48560
Total active users1401
Act. users last 24h3
Act. users last hour0
Registered user hits last week152
Registered user hits last month875
Go up

Migration 11.2.0.3 to 11.2.0.4 -> privilege lost?
Next thread: Rman full DB recovery without recovery catalog
Prev thread: Oracle Database Cross Platform Migration from 9i to 11g

Message Score Author Date
Hello, I realize that I can't select from SYS.HIS...... Bruno Vroman May 13, 2014, 11:12
Just to be sure, no ORA-00600 in alert.log? If ...... Michel Cadot May 13, 2014, 12:01
Hi Bruno, I can confirm this "change" on freshl...... Score: 300 PtsScore: 300 PtsScore: 300 PtsScore: 300 PtsScore: 300 Pts Ales Kavsek May 13, 2014, 12:12
Thank you Michel. No, no message in alert log. ...... Bruno Vroman May 13, 2014, 12:12

Follow up by mail Click here


Subject: Migration 11.2.0.3 to 11.2.0.4 -> privilege lost?
Author: Bruno Vroman, Belgium
Date: May 13, 2014, 11:12, 2391 days ago
Os info: Sun Sparv 5.10
Oracle info: 11.2.0.4
Error info: ORA-01031 Insufficient privileges
Message: Hello,
I realize that I can't select from SYS.HIST_HEAD$ anymore in the databases that have been upgraded from 11.2.0.3 to 11.2.0.4, and things are OK in 11.2.0.3 databases so I guess that this is linked.
I can't find the origin of the issue.

In both databases I use the same account SYSTEM and I see the same privileges:

SELECT * FROM dba_tab_privs WHERE table_name = 'HIST_HEAD$';
no rows selected.

SELECT privilege FROM session_privs WHERE privilege LIKE 'SELECT ANY%';
PRIVILEGE
----------------------------------------
SELECT ANY TABLE
SELECT ANY SEQUENCE
SELECT ANY DICTIONARY
SELECT ANY TRANSACTION
SELECT ANY MINING MODEL
SELECT ANY CUBE DIMENSION
SELECT ANY CUBE

SELECT * FROM sys.hist_head$ WHERE 1 = 2;
 in 11.2.0.4
  ORA-01031: insufficient privileges
  (if I "grant select on sys.hist_head$ to system" things are OK but this is not what I want)
 in 11.2.0.3
  no rows selected (=expected result: I can "see" the table)

Maybe one of you can help me to find the root cause?

Thanks and best regards,

Bruno Vroman.
Goto: Reply - Top of page 
If you think this item violates copyrights, please click here

Subject: Re: Migration 11.2.0.3 to 11.2.0.4 -> privilege lost?
Author: Michel Cadot, France
Date: May 13, 2014, 12:01, 2391 days ago
Message:
Just to be sure, no ORA-00600 in alert.log?
If you grant SELECT_CATALOG_ROLE does it work? (I have no 11.2.0.4 to verify.)

Regards
Michel
Your rating?: This reply is Good Excellent
Goto: Reply - Top of page 
If you think this item violates copyrights, please click here

Subject: Re: Migration 11.2.0.3 to 11.2.0.4 -> privilege lost?
Author: Ales Kavsek, Slovenia
Date: May 13, 2014, 12:12, 2391 days ago
Score:   Score: 300 PtsScore: 300 PtsScore: 300 PtsScore: 300 PtsScore: 300 Pts
Message: Hi Bruno,

I can confirm this "change" on freshly patched 11.2.0.4 (from 11.2.0.3) system. As far as I can tell the only "workaround" is to give a direct grant to a user -- I know this is something you don't like, but that's the way it works apparently...

Regards,
Ales
Your rating?: This reply is Good Excellent
Goto: Reply - Top of page 
If you think this item violates copyrights, please click here

Subject: Re: Migration 11.2.0.3 to 11.2.0.4 -> privilege lost?
Author: Bruno Vroman, Belgium
Date: May 13, 2014, 12:12, 2391 days ago
Message: Thank you Michel.

No, no message in alert log.

I forgot some details: on top of 11.2.0.4 we have applied the latest PSU (April 2014) (patch 18031668).
Our current idea is that this one fixes a security bug (that can be exploited by users having "SELECT ANY DICTIONARY"); maybe the "fix" is a bit brutal... I think that I'll open a SR (if I do it, I'll update this post with the outcome)

Granting SELECT_CATALOG_ROLE doesn't help (and BTW, SELECT FROM user_role_privs shows that DBA role is active in my session)

Thanks and best regards,

Bruno.
Your rating?: This reply is Good Excellent
Goto: Reply - Top of page 
If you think this item violates copyrights, please click here