Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> dbms_java and file permissions

dbms_java and file permissions

From: Brian Wisniewski <brian_wisniewski_at_yahoo.com>
Date: Tue, 05 Jun 2001 06:59:32 -0700
Message-ID: <F001.0031BF0B.20010605064110@fatcity.com> 




8.1.7.1 on Solaris 7 I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern. Here are the list of privileges I granted/restricted to the owner of the java procedure. KIND GRANTE TYPE_ TYPE_NAME NAME ACTION -------- ------ ----- ------------------------------ ------------------------------ ------------------------- GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,writ!


!


e,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS java.io.FilePermission /usr/bin/* execute GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor 9 rows selected.
As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck.  Each time I added a new restriction I logged out of the tissd account and back in.  On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there.  I don't understand why unlimited access is being allowed to the files which should be the most restricted.  The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles.  I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either.
This worked, which I didn't think it should.
SQL> exec rc('/usr/bin/ls /u20/app/oracle');adminjreoraInventoryoradataouiproducttestfile.junkReturn code is 0
And this failed.


SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');Return code is 2
Doing an ls on the file failed


SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');Return code is 2
But moving it worked fine. AAUUUGGGHHH!!!
SQL>  exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk');Return code is 0


 



Just your regular ol' IDIOT asking for HELP. 


 



Thanks - Brian


 Do You Yahoo!?



Yahoo! Mail Personal Address - 


Get email at your own domain with Yahoo! Mail.
Received on Tue Jun 05 2001 - 08:59:32 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US