Security Issues with Invoking O/S Commands from PL/SQL via Extern al

On metalink there is an example of a C program which can be compiled as a shared object to allow the invoking of any OS command from PL/SQL. The use of this cabability puts one in a bittersweet situation. Sweet because invoking such commands allows one to things heretofore impossible; bitter because someone could issue "cd / rm -rf *" - a command which might make you and Bill Law the best of friends.

Nevertheless a generic "shell.so" file I beleive can be used safely under the following conditions: the external procedure listener is not run under oracle, but under a non-privileged account such as nobody; no one is granted execute permissions on the library associated with the shared object; no one is given create library privileges; the procedures which actually communicate with the shared object are placed in a package to which no one is granted privileges; a package containing procedures, one for each allowable OS command, is created with the commands specified with their complete paths. It is to this last package execute permissions are given.

Anyone see any holes. The idea is to allow users to invoke only those OS commands specified in the last package mentioned above.

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu Received on Thu Jun 22 2000 - 14:07:20 CDT