RE: JSP Runtime.getRuntime().exec and no secondary groups on Unix

As no one seems to care, I guess I'll have to answer my own question.

Methinks the problem was that the svrmgrl process I used to bounce the instance after the change to /etc/group was holding on to the old group memberships. So, by simply exiting svrmgrl between the shutdown and startup of the instance, the new instance grabbed the new group memberships and all is well with the Java Stored Procedures.

Thanks Rich for your reply! The next beer's on me!

(It's bad when you start referring to yourself in the 3rd person. George is gettin' upset!)

:)

Rich

Rich Jesse                           System/Database Administrator
Rich.Jesse_at_qtiworld.com              Quad/Tech International, Sussex, WI USA

> -----Original Message-----
> From: Jesse, Rich
> Sent: Friday, January 24, 2003 10:19 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: JSP Runtime.getRuntime().exec and no secondary groups on
> Unix
>
>
> OK, some clarification here: I use "JSP" for "Java Stored
> Procedure" and
> NOT "Java Server Pages". Also, a co-worker suggested running
> the "groups"
> command to verify what groups are available to the process.
> That confirmed
> that the secondary group is indeed NOT active in the Java
> Stored Procedure
> call.
>
> Rich
>
>
> Rich Jesse System/Database Administrator
> Rich.Jesse_at_qtiworld.com Quad/Tech International,
> Sussex, WI USA
>
>
> > -----Original Message-----
> > From: Jesse, Rich
> > Sent: Thursday, January 23, 2003 4:29 PM
> > To: Multiple recipients of list ORACLE-L
> > Subject: JSP Runtime.getRuntime().exec and no secondary
> groups on Unix
> >
> >
> > Hey all,
> >
> > Trying to get into this JSP thingy on 8.1.7.4 and HP/UX 11.0
> > and I've run
> > into a stumbling block. I want to copy a trace file from
> UDUMP to the
> > user's directory via JSP. Here's the security specifics on
> > the HP/UX side:
> >
> > Oracle username: oracle
> > Oracle primary group: dba
> > Oracle secondary group: erp (from /etc/group)
> > User username: myuser
> > User primary group: erp
> > User secondary group: <none>
> >
> > "myuser"'s home directory is "/home/myuser", owned by
> > "myuser:erp" with a
> > protection of 775 (ERP system design demands it's that low!)
> > and no ACLs.
> > When logged into the oracle account, I can:
> >
> > cp /yadda/yadda/udump/ora_9999_mydb.trc /home/myuser
> >
> > ...without a problem since oracle has a secondary group of
> > "erp". When I
> > try to the exact same command via the JSP (cloned from
> > Metalink article
> > 109095.1) I get "permission denied" ONLY IF the file doesn't
> > already exist.
> > Here's a snippet:
> >
> > TKPCommand = "/usr/bin/cp " + TraceName + " " + UserName;
> > Process p = Runtime.getRuntime().exec(TKPCommand);
> > System.out.println("CP command: " + TKPCommand);
> > System.out.println("Return code from CP: " + p.exitValue());
> >
> > And the output:
> >
> > CP command: /usr/bin/cp /yadda/yadda/udump/ora_9999/mydb.trc
> > /home/myuser
> > Return code from CP: 1
> >
> > By converting the "cp" command to a shell script and adding
> > debugging, we
> > were able to see the "permission denied" and to verify that
> > the executing
> > user is "oracle". However, if the destination file exists
> > (e.g. from the
> > interactive copy above), it works fine. Delete the file from
> > /home/myuser
> > and run the JSP and it fails because the oracle account's
> > primary group
> > doesn't have access to write to the /home/myuser directory.
> > But it works
> > interactively because of the secondary group membership.
> >
> > This (and tons of other similar boring tests) leads me to
> > believe that the
> > secondary groups are not active in the call from the JSP.
> > Without the pain
> > of using Unix's "newgrp" in my exec command, does anyone have
> > a way around
> > this mess? Is there something I'm missing?
> >
> > Help!
> > TIA,
> > Rich

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jesse, Rich
  INET: Rich.Jesse_at_qtiworld.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).