| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: executing unix commands from PL/SQL
Larry's link to asktom is where I got started however I made the mistake of telling the developers about this before I realized the implications and major security hole.
This grants tissd privs to execute ksh scripts from within /gw/prodn/tissd/code/ksh/
begin
dbms_java.grant_permission
('TISSD',
'java.io.FilePermission',
'/usr/bin/ksh',
'execute');
--
dbms_java.grant_permission
('TISSD',
'java.io.FilePermission',
'/gw/prodn/tissd/code/ksh/-',
'execute');
--
dbms_java.grant_permission
('TISSD',
'java.lang.RuntimePermission',
'-',
'writeFileDescriptor');
-- end; / Now your favorite developer is pissed about you not giving him dba privs within the database so he's gonna mess with you by creating the following shell script within the dir mentioned above. #!/usr/bin/ksh rm -rf /u01/app/oracle/* Now if he tried to execute this from the OS it wouldn't allow him to remove anything from /u01/ since he's not oracle or part of the dba group. However, he creates a simple java stored proc (see asktom) to call out to the OS to execute this script. When you call out to the OS from within java guess who it is executing as ??? That's right - ORACLE! Hasta la vista database files. I yelled at Oracle about this and they were going to write up an informational note! This is such a security hazard, at least within 8.1.7 (I doubt it is changed in 9i), that it isn't even funny what someone could do. Be careful what you grant to whom! I think execute on /usr/bin/ls is ok but other than that... - Brian --- John Dunn <john.dunn_at_sefas.co.uk> wrote: > is there anyway to do this other than external procedures or > DBMS_PIPE? > > Like using java? > > Anyone got a very simple java example?(for someone unfamiliar with > java in > stored procedures) > > John > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: John Dunn > INET: john.dunn_at_sefas.co.uk > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing > Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian Wisniewski INET: brian_wisniewski_at_yahoo.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Mon Nov 12 2001 - 12:42:00 CST
 |
 |