Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: tracing oracle filesystem access

RE: tracing oracle filesystem access

From: <>
Date: 2006-01-12 20:18:48

Max, playing catch-up on my email so this is a little late. About 3 years ago I started dabbling with java in the database and writing/executing from the filesystem. I soon discovered how dangerous this can be and it really doesn't matter what directories you grant access to if you allow write/execute to any single filesystem on your server. JAVASYSPRIV is obviously opening this up to who knows what.

I can appreciate your attempt to restrict access to specific directories but unless you do that AND remove execute privileges I personally believe it's futile. I'd love to be proved wrong on this but I felt this was a HUGE security issue and refused to give this access to anyone but the DBA's.

I'm in a windows shop now :-( so this is running a .bat file. I'm no java guy but I think this shows the dangers from even a hack like myself.

create or replace java source named "JavaBadDemo" as import*;
import java.sql.*;

public class JavaBadDemo
  public static void run() throws Exception   {

        int rc = -1;

        // open a file and write os commands comprimising security

        PrintWriter pw = null;
        pw = new PrintWriter(new BufferedWriter(new 
        pw.println("dir > c:\\garbage\\ohmy.txt");

        // execute the file just written to filesystem

        Runtime rt = Runtime.getRuntime();
        Process p = rt.exec("c:\\junk\\junk.bat");

        try {
                rc = p.waitFor();
        /* Handle exceptions for waitFor() */
        } catch (InterruptedException intexc) {
                System.out.println("Interrupted Exception on waitFor: " +


alter java source "JavaBadDemo" compile; show errors java source "JavaBadDemo"

create or replace procedure JavaBad
as language java
name '';

exec javabad;

Brian S. Wisniewski

Sr. Oracle Database Administrator
Cell: 614.975.2905
Central Technology Infrastructure & Operations

"Pakhutkin, Maxim (Max)"
Sent by:
01/11/2006 01:28 PM
Please respond to maxim.pakhutkin  

        Subject:        RE: tracing oracle filesystem access

Sorry, didn't explain myself properly.

The utl_file_dir is currently set to be '*'. Some users have JAVASYSPRIV. I would like to restrict that as much as possible. To do this I would like to identify any and all directories and files the database processes access over a period of time. That way I will have a certain degree of confidence that my restriction will not break existing functionality.

I hope this is a better explanation.


-----Original Message-----
From: Thomas Jeff [] Sent: Wednesday, January 11, 2006 1:22 PM To: Pakhutkin, Maxim (Max); Subject: RE: tracing oracle filesystem access

Unless I'm missing something, can't you just do a show parameter utl_file_dir
in the respective databases to list all directories accessible?  

As for java, something like this:  

SELECT kind, grantee, type_schema, type_name, name, action, enabled FROM dba_java_policy

Look for a TYPE_NAME =

[] On Behalf Of Pakhutkin, Maxim (Max)
Sent: Wednesday, January 11, 2006 1:08 PM To:
Subject: tracing oracle filesystem access

Does anyone know of a way to trace/audit which files and directories oracle accesses either via PL/SQL (utl_file_dir) and java? I'm trying to restrict java access and pl/sql access to the filesystem, but would like to be able to monitor existing access patterns to make sure I will not break any functionality when I apply the restriction.  

The only way I can think of is by monitoring server processes with truss, but that would be pretty cumbersome. The other way is to somehow put a wrapper around sys.utl_file (but what about java?).  

Thanks in advance.  

Max Pakhutkin  

Received on Thu Jan 12 2006 - 20:18:48 CST

Original text of this message