| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: tracing oracle filesystem access
Max, playing catch-up on my email so this is a little late. About 3 years
ago I started dabbling with java in the database and writing/executing
from the filesystem. I soon discovered how dangerous this can be and it
really doesn't matter what directories you grant access to if you allow
write/execute to any single filesystem on your server. JAVASYSPRIV is
obviously opening this up to who knows what.
I can appreciate your attempt to restrict access to specific directories but unless you do that AND remove execute privileges I personally believe it's futile. I'd love to be proved wrong on this but I felt this was a HUGE security issue and refused to give this access to anyone but the DBA's.
I'm in a windows shop now :-( so this is running a .bat file. I'm no java guy but I think this shows the dangers from even a hack like myself.
create or replace java source named "JavaBadDemo" as
import java.io.*;
import java.sql.*;
public class JavaBadDemo
{
public static void run() throws Exception
{
int rc = -1;
// open a file and write os commands comprimising security
PrintWriter pw = null;
pw = new PrintWriter(new BufferedWriter(new
FileWriter("c:\\junk\\junk.bat")));
pw.println("dir > c:\\garbage\\ohmy.txt");
pw.close();
// execute the file just written to filesystem
Runtime rt = Runtime.getRuntime();
Process p = rt.exec("c:\\junk\\junk.bat");
try {
rc = p.waitFor();
/* Handle exceptions for waitFor() */
} catch (InterruptedException intexc) {
System.out.println("Interrupted Exception on waitFor: " +
intexc.getMessage());
}
alter java source "JavaBadDemo" compile; show errors java source "JavaBadDemo"
create or replace procedure JavaBad
as language java
name 'JavaBadDemo.run()';
/
exec javabad;
Brian S. Wisniewski
Sr. Oracle Database Administrator
Cell: 614.975.2905
Central Technology Infrastructure & Operations
brian.x.wisniewski_at_jpmchase.com
"Pakhutkin, Maxim (Max)"
Sent by: oracle-l-bounce_at_freelists.org
01/11/2006 01:28 PM
Please respond to maxim.pakhutkin
To:
cc:
Subject: RE: tracing oracle filesystem access
Sorry, didn't explain myself properly.
The utl_file_dir is currently set to be '*'. Some users have JAVASYSPRIV. I would like to restrict that as much as possible. To do this I would like to identify any and all directories and files the database processes access over a period of time. That way I will have a certain degree of confidence that my restriction will not break existing functionality.
I hope this is a better explanation.
Max.
-----Original Message-----
From: Thomas Jeff [mailto:jeff.thomas_at_thomson.net]
Sent: Wednesday, January 11, 2006 1:22 PM
To: Pakhutkin, Maxim (Max); oracle-l_at_freelists.org
Subject: RE: tracing oracle filesystem access
Unless I'm missing something, can't you just do a show parameter
utl_file_dir
in the respective databases to list all directories accessible?
As for java, something like this:
SELECT kind, grantee, type_schema, type_name, name, action, enabled FROM dba_java_policy
Look for a TYPE_NAME = java.io.Filepermission
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Pakhutkin, Maxim
(Max)
Sent: Wednesday, January 11, 2006 1:08 PM
To: oracle-l_at_freelists.org
Subject: tracing oracle filesystem access
Does anyone know of a way to trace/audit which files and directories oracle accesses either via PL/SQL (utl_file_dir) and java? I'm trying to restrict java access and pl/sql access to the filesystem, but would like to be able to monitor existing access patterns to make sure I will not break any functionality when I apply the restriction.
The only way I can think of is by monitoring server processes with truss, but that would be pretty cumbersome. The other way is to somehow put a wrapper around sys.utl_file (but what about java?).
Thanks in advance.
Max Pakhutkin
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jan 12 2006 - 20:18:48 CST
 |
 |