Re: Security issue with DBFS

From: Kamus <kamusis_at_gmail.com>
Date: Thu, 11 Aug 2011 23:42:14 +0800
Message-ID: <0C933BBC2FE24B96B617D9B3A7524D65_at_gmail.com>

I found if I mount this DBFS area into a filesystem, and use cp command instead of dbfs_client, the permission is OK.

$ id
uid=1101(oracle) gid=1000(oinstall) groups=1000(oinstall),1200(dba),1300(asmdba)

$ ls -l /mnt/dbfs/dbfs_area/
total 0
drwxr-xr-x 2 oracle oinstall 0 Aug 11 23:38 dir1 drwxr-xr-x 2 grid oinstall 0 Aug 11 22:41 dir2

$ cp test.txt /mnt/dbfs/dbfs_area/dir2/test1.txt cp: cannot create regular file `/mnt/dbfs/dbfs_area/dir2/test1.txt': Permission denied

-- 
Zhang Leyi (Kamus) <kamusis_at_gmail.com>

Visit my blog for more: http://www.dbform.com
Join ACOUG: http://www.acoug.org
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


On Thursday, August 11, 2011 at 11:19 PM, Kamus wrote:



>  Hi gurus 

> 

> Anyone has expirience about DBFS? I'm trying use this 11gR2 new feature for one of my product system, which will finally hold over 400T picture BLOBs.

> 

> I'm doing some test for DBFS security and found a problem (bug?)

> 

> I use oracle user create a directory.

> $ dbfs_client dbfs_at_localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir1

> 

> then use grid user create another directory.

> $ dbfs_client dbfs_at_localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir2

> 

> after that I list dirs and all looks good. both dir's privlige is 755, which should means only user can has WRITE permission. 

> $ dbfs_client dbfs_at_localhost:1521/orcl --command ls -l dbfs:/dbfs_area

> Password:

> drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2

> drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1

> 

> But I try to use oracle user to copy file into 2 directories, both succeed. huh? Do I missed something?

> [oracle_at_dbserver-oel ~]$ dbfs_client dbfs_at_localhost:1521/orcl --command cp test.txt dbfs:/dbfs_area/dir1/

> Password:

> test.txt -> dbfs:/dbfs_area/dir1/test.txt

> [oracle_at_dbserver-oel ~]$ dbfs_client dbfs_at_localhost:1521/orcl --command cp test.txt dbfs:/dbfs_area/dir2/

> Password:

> test.txt -> dbfs:/dbfs_area/dir2/test.txt

> $ dbfs_client dbfs_at_localhost:1521/orcl --command ls -l -R dbfs:/dbfs_area

> Password:

> drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2

> -rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir2/test.txt

> drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1

> -rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir1/test.txt

> 

> Any feedback will be appreciated.

> 

> -- 

> Zhang Leyi (Kamus) <kamusis_at_gmail.com (mailto:kamusis_at_gmail.com)>

> 

> Visit my blog for more: http://www.dbform.com

> Join ACOUG: http://www.acoug.org

> Sent with Sparrow (http://www.sparrowmailapp.com/?sig)



--
http://www.freelists.org/webpage/oracle-l

Received on Thu Aug 11 2011 - 10:42:14 CDT

This message: [ Message body ]
Next message: rjamya: "Re: Datapump export, incremential only?"
Previous message: Mahesh G: "Processes parameter vs kernel parameter"
In reply to: Kamus: "Security issue with DBFS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message