RE: executing unix commands from PL/SQL

Brian,

And this really a problem that people run into with many of the methods for accessing the OS from within PL/SQL. Great care needs to be taken to ensure damage can't be done. Just like with UTL_FILE and someone simply setting the utl_file_dir parameter to * -- a developer could overwrite and damage *many* things.

I hope you are able to keep things under control and apologize if this has lead to problems.

Regards,

Larry G. Elkins
elkinsl_at_flash.net
214.954.1781

> -----Original Message-----
> From: root_at_fatcity.com [mailto:root_at_fatcity.com]On Behalf Of Brian
> Wisniewski
> Sent: Monday, November 12, 2001 12:32 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: executing unix commands from PL/SQL
>
>
> Larry's link to asktom is where I got started however I made the
> mistake of telling the developers about this before I realized the
> implications and major security hole.
>
> This grants tissd privs to execute ksh scripts from within
> /gw/prodn/tissd/code/ksh/
>
> begin
> dbms_java.grant_permission
> ('TISSD',
> 'java.io.FilePermission',
> '/usr/bin/ksh',
> 'execute');
> --
> dbms_java.grant_permission
> ('TISSD',
> 'java.io.FilePermission',
> '/gw/prodn/tissd/code/ksh/-',
> 'execute');
> --
> dbms_java.grant_permission
> ('TISSD',
> 'java.lang.RuntimePermission',
> '-',
> 'writeFileDescriptor');
> --
> end;
> /
>
> Now your favorite developer is pissed about you not giving him dba
> privs within the database so he's gonna mess with you by creating the
> following shell script within the dir mentioned above.
>
> #!/usr/bin/ksh
>
> rm -rf /u01/app/oracle/*
>
> Now if he tried to execute this from the OS it wouldn't allow him to
> remove anything from /u01/ since he's not oracle or part of the dba
> group.
>
> However, he creates a simple java stored proc (see asktom) to call out
> to the OS to execute this script. When you call out to the OS from
> within java guess who it is executing as ??? That's right - ORACLE!
> Hasta la vista database files. I yelled at Oracle about this and they
> were going to write up an informational note! This is such a security
> hazard, at least within 8.1.7 (I doubt it is changed in 9i), that it
> isn't even funny what someone could do.
>
> Be careful what you grant to whom!
>
> I think execute on /usr/bin/ls is ok but other than that...
>
> - Brian

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Larry Elkins
  INET: elkinsl_at_flash.net

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).