RE: JSP Runtime.getRuntime().exec and no secondary groups on Unix

OK, some clarification here: I use "JSP" for "Java Stored Procedure" and NOT "Java Server Pages". Also, a co-worker suggested running the "groups" command to verify what groups are available to the process. That confirmed that the secondary group is indeed NOT active in the Java Stored Procedure call.

Rich

Rich Jesse                           System/Database Administrator
Rich.Jesse_at_qtiworld.com              Quad/Tech International, Sussex, WI USA

> -----Original Message-----
> From: Jesse, Rich
> Sent: Thursday, January 23, 2003 4:29 PM
> To: Multiple recipients of list ORACLE-L
> Subject: JSP Runtime.getRuntime().exec and no secondary groups on Unix
>
>
> Hey all,
>
> Trying to get into this JSP thingy on 8.1.7.4 and HP/UX 11.0
> and I've run
> into a stumbling block. I want to copy a trace file from UDUMP to the
> user's directory via JSP. Here's the security specifics on
> the HP/UX side:
>
> Oracle username: oracle
> Oracle primary group: dba
> Oracle secondary group: erp (from /etc/group)
> User username: myuser
> User primary group: erp
> User secondary group: <none>
>
> "myuser"'s home directory is "/home/myuser", owned by
> "myuser:erp" with a
> protection of 775 (ERP system design demands it's that low!)
> and no ACLs.
> When logged into the oracle account, I can:
>
> cp /yadda/yadda/udump/ora_9999_mydb.trc /home/myuser
>
> ...without a problem since oracle has a secondary group of
> "erp". When I
> try to the exact same command via the JSP (cloned from
> Metalink article
> 109095.1) I get "permission denied" ONLY IF the file doesn't
> already exist.
> Here's a snippet:
>
> TKPCommand = "/usr/bin/cp " + TraceName + " " + UserName;
> Process p = Runtime.getRuntime().exec(TKPCommand);
> System.out.println("CP command: " + TKPCommand);
> System.out.println("Return code from CP: " + p.exitValue());
>
> And the output:
>
> CP command: /usr/bin/cp /yadda/yadda/udump/ora_9999/mydb.trc
> /home/myuser
> Return code from CP: 1
>
> By converting the "cp" command to a shell script and adding
> debugging, we
> were able to see the "permission denied" and to verify that
> the executing
> user is "oracle". However, if the destination file exists
> (e.g. from the
> interactive copy above), it works fine. Delete the file from
> /home/myuser
> and run the JSP and it fails because the oracle account's
> primary group
> doesn't have access to write to the /home/myuser directory.
> But it works
> interactively because of the secondary group membership.
>
> This (and tons of other similar boring tests) leads me to
> believe that the
> secondary groups are not active in the call from the JSP.
> Without the pain
> of using Unix's "newgrp" in my exec command, does anyone have
> a way around
> this mess? Is there something I'm missing?
>
> Help!
> TIA,
> Rich

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jesse, Rich
  INET: Rich.Jesse_at_qtiworld.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).