Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: UTL_FILE package
I rang ORACLE about this 'feature' when we discovered it and according to
them it was meant to run this way as otherwise the was a security issue,
in that unix 'gurus' could use it to circumvent ORACLE security - what ?!
Anyway the work around we use where I work is to add
> filename
for any files to be written by utl_file, to the calling unix script, this
creates the file with the owner and group of the user executing the unix
script. The utl_file package then happily writes to the file (overriding
anything like unix file permissions !), without changing the owner and
group.
As for writing to database files etc., to give ORACLE their due, they do
recommend that the utl_file_dir=* option is not used. We use it for the
development databases, so users can write to their own directories but in
the live environment there are very few directories that are specified in
the init.ora parameters.
One solution is to use utl_file_dir=*, but then write a front end to the
utility which determines the accessible directories. User are granted
access to the front end utility but not to utl_file directly. The other
big benefits here are that you can provide more meaningul error messages,
and also could implement a 'directory and any of its sub-directories'
rule.
I was testing in Oracle 7.3 on Sun Solaris 2.5 the UTL_FILE package that
can read and write files.
The directory you intend writing to has to be in your INIT.ORA file
(UTL_FILE_DIR=*) thus any directory you have access.
The interesting thing happen when I wrote the file the permissions on the
file were (you guessed it) oracle (owner) dba (group) mode 644 !!!!
Well I quickly changed that "utl_file=/tmp"
A side issue for anyone who wants to read the tkprof files you have to set
the "_trace_files_public=true" as these files are created as oracle dba
but mode 640
Anyway three questions:
Anyway to change the owner (even nobody) like web server would be ok as the unix user may not exist.
Anyway to change the mode (660) of the file so I could setup a separate group like (utl) etc.
Anyone want to think of any user being able to write to $ORACLE_HOME/dbs/init$ORACLE_SID.ini or
better yet the one of the oracle data files :-(
Well anyone has any comments on the subject ; have not called support on
the issue but the answer should
be interesting,
kwhitake_at_moon.jic.com
Received on Sat Mar 15 1997 - 00:00:00 CST