| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: tracing oracle filesystem access
Oh boy. I blanched and cringed when I read: '*' and JAVASYSPRIV.
From an O/S level, I don't know how you can do this.
In the database, perhaps you can check dependencies:
select owner, name, type from dba_dependencies where referenced_name =
'UTL_FILE'
And find out how extensively UTL_FILE is used -- perhaps simple code
inspection will suffice
provided the # of packages referencing UTL_FILE are low.
As for JAVASYSPRIVS, you might have a bigger issue: what about other
permissions that may
be needed, such as lang.runtimePermission or net.Socketpermission, and
so forth?
Jeff T.
-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Pakhutkin, Maxim
(Max)
Sent: Wednesday, January 11, 2006 1:28 PM
To: oracle-l_at_freelists.org
Subject: RE: tracing oracle filesystem access
Sorry, didn't explain myself properly.
The utl_file_dir is currently set to be '*'. Some users have JAVASYSPRIV. I would like to restrict that as much as possible. To do this I would like to identify any and all directories and files the database processes access over a period of time. That way I will have a certain degree of confidence that my restriction will not break existing functionality.
I hope this is a better explanation.
Max.
-----Original Message-----
From: Thomas Jeff [mailto:jeff.thomas_at_thomson.net]
Sent: Wednesday, January 11, 2006 1:22 PM
To: Pakhutkin, Maxim (Max); oracle-l_at_freelists.org
Subject: RE: tracing oracle filesystem access
Unless I'm missing something, can't you just do a show parameter utl_file_dir in the respective databases to list all directories accessible?
As for java, something like this:
SELECT kind, grantee, type_schema, type_name, name, action, enabled FROM dba_java_policy
Look for a TYPE_NAME = java.io.Filepermission
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Pakhutkin, Maxim
(Max)
Sent: Wednesday, January 11, 2006 1:08 PM
To: oracle-l_at_freelists.org
Subject: tracing oracle filesystem access
Does anyone know of a way to trace/audit which files and directories oracle accesses either via PL/SQL (utl_file_dir) and java? I'm trying to restrict java access and pl/sql access to the filesystem, but would like to be able to monitor existing access patterns to make sure I will not break any functionality when I apply the restriction.
The only way I can think of is by monitoring server processes with truss, but that would be pretty cumbersome. The other way is to somehow put a wrapper around sys.utl_file (but what about java?).
Thanks in advance.
Max Pakhutkin
-- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-lReceived on Wed Jan 11 2006 - 20:22:55 CST
 |
 |