| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> JSP Runtime.getRuntime().exec and no secondary groups on Unix
Hey all,
Trying to get into this JSP thingy on 8.1.7.4 and HP/UX 11.0 and I've run into a stumbling block. I want to copy a trace file from UDUMP to the user's directory via JSP. Here's the security specifics on the HP/UX side:
Oracle username: oracle Oracle primary group: dba Oracle secondary group: erp (from /etc/group) User username: myuser User primary group: erp User secondary group: <none>
"myuser"'s home directory is "/home/myuser", owned by "myuser:erp" with a protection of 775 (ERP system design demands it's that low!) and no ACLs. When logged into the oracle account, I can:
cp /yadda/yadda/udump/ora_9999_mydb.trc /home/myuser
...without a problem since oracle has a secondary group of "erp". When I try to the exact same command via the JSP (cloned from Metalink article 109095.1) I get "permission denied" ONLY IF the file doesn't already exist. Here's a snippet:
TKPCommand = "/usr/bin/cp " + TraceName + " " + UserName;
Process p = Runtime.getRuntime().exec(TKPCommand);
System.out.println("CP command: " + TKPCommand);
System.out.println("Return code from CP: " + p.exitValue());
And the output:
CP command: /usr/bin/cp /yadda/yadda/udump/ora_9999/mydb.trc /home/myuser
Return code from CP: 1
By converting the "cp" command to a shell script and adding debugging, we were able to see the "permission denied" and to verify that the executing user is "oracle". However, if the destination file exists (e.g. from the interactive copy above), it works fine. Delete the file from /home/myuser and run the JSP and it fails because the oracle account's primary group doesn't have access to write to the /home/myuser directory. But it works interactively because of the secondary group membership.
This (and tons of other similar boring tests) leads me to believe that the secondary groups are not active in the call from the JSP. Without the pain of using Unix's "newgrp" in my exec command, does anyone have a way around this mess? Is there something I'm missing?
Help!
TIA,
Rich
Rich Jesse System/Database Administrator Rich.Jesse_at_qtiworld.com Quad/Tech International, Sussex, WI USA
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Jan 23 2003 - 16:29:17 CST
 |
 |