0

If you have three servers [[1],[2],[3]] that are linked in sequence via database links ([1] -> [2], [2] -> [3]), is it possible to "daisy chain" queries so that a user logged into [1] could read (or worse delete from) tables in [3]? Something like...

SELECT * FROM DBA_TABLES@2@3;

?

I am a user on database where the dba has set up public links between these databases and I am trying to figure out exactly the extent of how bad this. I already know that I have elevated privileges on 2, but I am concerns that the links on [2] to [3] could be exploited further.

Thanks for the input.

Fjallraven
  • 13
  • 4
  • 1
    You can't do something like `@2@3`. You could create synonyms/ views/ etc. on 2 that reference objects on 3 and then manipulate those over the database link to 2. Doing DDL over the database link is a bit of a pain but possible (assuming that the user on 2 has appropriate privileges). – Justin Cave Jun 30 '16 at 17:26
  • 1
    Yes, you could do synonyms. See http://stackoverflow.com/questions/2989926/can-i-chain-database-links-in-oracle – topshot Jun 30 '16 at 17:28

1 Answers1

0

From db[1] you could invoke the DBMS_SQL package on db[2] that could run a dynamic SQL statement that references db[3].

declare
 v_cursor  NUMBER;
 v_ind      number;
begin
 v_cursor := dbms_sql.open_cursor@db2;
 dbms_sql.parse@db2(v_cursor, 'delete from tbl@db3', dbms_sql.native);
 v_ind := dbms_sql.execute@db2( v_cursor );
end;
/

Otherwise you'd need objects in db2 that mask the link to db3.

Gary Myers
  • 34,963
  • 3
  • 49
  • 74