Oracle9i File Protection Issues on Windows 2000

From: Brett Hunsaker <brett-hunsaker_at_automation-software.com>
Date: 19 Aug 2002 12:42:16 -0700
Message-ID: <436f92d1.0208191142.224ee33c@posting.google.com>

There is something weird happening in regards to the security settings associated with the Oracle9i Release 2 files.

The initial indications of a problem occurred when I tried to use the Microsoft OLE DB Provider for Oracle in a VBScript under the Windows 2000 task scheduler. The script runs fine from my interactive session, but failed under the scheduler with the 80004005 error:

---

Microsoft OLE DB Provider for Oracle: Oracle client and networking components were not found. These components are supplied by Oracle Corporation and are part of the Oracle Version 7.3.3 or later client software installation.

Provider is unable to function until these components are installed.
---

Microsoft has a knowledgebase article describing a similar problem with IIS (Q255084), and none of the troubleshooting suggestions fixed my problem.

The error basically means "I can't find the Oracle client files which should be in the oracle \bin directory and which should be listed in the PATH environment variable."

Hmm...

Using the RUNAS command, I created a Command Prompt window running under the same account as my scheduled task. Guess what? The binary directory is listed in the PATH list, but directory contains no files!

Since the files do exist on the system in D:\Oracle\ora90\bin, this must be some sort of security violation. Sure enough, when I issue the command 'DIR D:\Oracle\ora90', I get a failure audit (event 560) in the event viewer stating:

---

Object Open:

        Object Server:          Security
        Object Type:            File
        Object Name:            D:\oracle\ora90
        New Handle ID:          -
        Operation ID:           {0,202541}
        Process ID:             1816
        Primary User Name:      TestUser
        Primary Domain:         OURDOMAIN
        Primary Logon ID:       (0x0,0x1BD4F)
        Client User Name:       -
        Client Domain:          -
        Client Logon ID:        -
        Accesses                SYNCHRONIZE
                                ReadData (or ListDirectory)

        Privileges              -

---

Looking at the protection of the directory with CACLS gives the following:

---

C:\>cacls d:\oracle\ora90
d:\oracle\ora90 NT AUTHORITY\Authenticated Users:(OI)(CI)(special access:)

                                                         READ_CONTROL
                                                        
FILE_READ_DATA
                                                         FILE_READ_EA
                                                         FILE_EXECUTE
                                                        

FILE_READ_ATTRIBUTES

                BUILTIN\Administrators:(OI)(CI)F
                NT AUTHORITY\SYSTEM:(OI)(CI)F

---

Hmm, looks like I should get in as an authenticated user.

Using the SECTOK utility from
http://home.earthlink.net/~joewarenet/win32/index.html, I can confirm that the Command Prompt window I started via RUNS does indeed have the appropriate token:

---

C:\>sectok

SecTok V01.00.00cpp Joe Richards (joe_at_joeware.net) November 2001

User: S-1-5-21-700192930-1906580503-837300906-1330 - OURDOMAIN\TestUser

Group: S-1-1-0 - Everyone
Group: S-1-5-11 - NT AUTHORITY\Authenticated Users
Group: S-1-5-21-700192930-1906580503-837300906-1126 - OURDOMAIN\Tech

Group
Group: S-1-5-21-700192930-1906580503-837300906-513 - OURDOMAIN\Domain Users
Group: S-1-5-32-545 - BUILTIN\Users
Group: S-1-5-4 - NT AUTHORITY\INTERACTIVE
---

So why can't I see the contents of the Oracle\ora90 directory?

Thanks for any suggestions

• Brett Hunsaker

Received on Mon Aug 19 2002 - 14:42:16 CDT