Re: dbms_java and file permissions

Brian,

I've still gotta lot to learn about Java, but I'll take a stab at this.

First off, what query did you use to produce the output below?

Do external processes run via Java run as Oracle? I'm guessing that they do, but I could be wrong, and don't have time to test this right now.

If so, this will likely put a limit on your abilities to restrict access to directories owned by Oracle.

Hope some of this helps.

Jared

On Tuesday 05 June 2001 07:41, Brian Wisniewski wrote:
> 8.1.7.1 on Solaris 7
>
> I created a small java procedure to be able to call O/S commands from
> within the database (using Ask Tom's example). Works a little too well
> because I can't seem to restrict access to the oracle directories which is
> obviously a major concern.
>
> Here are the list of privileges I granted/restricted to the owner of the
> java procedure.
>
> KIND GRANTE TYPE_ TYPE_NAME NAME ACTION
> -------- ------ ----- ------------------------------
> ------------------------------ ------------------------- GRANT TISSD SYS
> java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete
> RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS
> java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle/test*
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS
> java.io.FilePermission /usr/bin/* execute
> GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor
>
> 9 rows selected.
>
> As you can see I tried numerous ways to restrict access to /u20/app/oracle
> files and had very limited luck. Each time I added a new restriction I
> logged out of the tissd account and back in. On the flip side I had to
> grant access to /export/home/oracle/bsw/scripts/java to allow files to be
> read there. I don't understand why unlimited access is being allowed to
> the files which should be the most restricted. The tissd user was NOT
> granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the
> 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the
> answer there either.
>
> This worked, which I didn't think it should.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle');
> admin
> jre
> oraInventory
> oradata
> oui
> product
> testfile.junk
> Return code is 0
>
> And this failed.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');
> Return code is 2
>
> Doing an ls on the file failed
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');
> Return code is 2
>
> But moving it worked fine. AAUUUGGGHHH!!!
>
> SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file
> /u20/app/oracle/testfile.junk'); Return code is 0
>
>
>
> Just your regular ol' IDIOT asking for HELP.
>
>
>
> Thanks - Brian
>
>
>
>
>
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Mail Personal Address - Get email at your own domain with Yahoo!
> Mail.

Content-Type: text/html; charset="us-ascii"; name="Attachment: 1"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).