Re: Oracle9i File Protection Issues on Windows 2000

From: Vladimir M. Zakharychev <bob_at_dpsp-yes.com>
Date: Tue, 20 Aug 2002 16:47:51 +0400
Message-ID: <ajtdpv$8qk$1@babylon.agtel.net>

Seems that your ACL for Authenticated Users does not include SYNCHRONIZE, thus special access instead of (OI)(CI)R and you don't see anything in the dir. You probably need to reset ACL for the dir and its siblings to be either (OI)(CI)R or special access with SYNCHRONIZE in list. Actually, I was unable to create an ACL without it using built-in GUI tools (Properties tab). Just ensure the group is granted List Folder Contents and Read & Execute - this should be enough the reset ACLs to proper values. Why and how SYNCHRONIZE was revoked is beyond me. :)

Corrections and additions welcome.

--
Vladimir Zakharychev (bob@dpsp-yes.com)                http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.


"Brett Hunsaker" <brett-hunsaker_at_automation-software.com> wrote in message
news:436f92d1.0208191142.224ee33c_at_posting.google.com...


> There is something weird happening in regards to the security settings

> associated with the Oracle9i Release 2 files.

>

> The initial indications of a problem occurred when I tried to use the

> Microsoft OLE DB Provider for Oracle in a VBScript  under the Windows

> 2000 task scheduler.  The script runs fine from my interactive

> session, but failed under the scheduler with the 80004005 error:

>

> ---

> Microsoft OLE DB Provider for Oracle: Oracle client and networking

> components were not found. These components are supplied by Oracle

> Corporation and are part of the Oracle Version 7.3.3 or later client

> software installation.

>

> Provider is unable to function until these components are installed.

> ---

>

> Microsoft has a knowledgebase article describing a similar problem

> with IIS (Q255084), and none of the troubleshooting suggestions fixed

> my problem.

>

> The error basically means "I can't find the Oracle client files which

> should be in the oracle \bin directory and which should be listed in

> the PATH environment variable."

>

> Hmm...

>

> Using the RUNAS command, I created a Command Prompt window running

> under the same account as my scheduled task.  Guess what?  The binary

> directory is listed in the PATH list, but directory contains no files!

>

> Since the files do exist on the system in D:\Oracle\ora90\bin, this

> must be some sort of security violation.  Sure enough, when I issue

> the command 'DIR D:\Oracle\ora90', I get a failure audit (event 560)

> in the event viewer stating:

>

> ---

> Object Open:

>         Object Server:          Security

>         Object Type:            File

>         Object Name:            D:\oracle\ora90

>         New Handle ID:          -

>         Operation ID:           {0,202541}

>         Process ID:             1816

>         Primary User Name:      TestUser

>         Primary Domain:         OURDOMAIN

>         Primary Logon ID:       (0x0,0x1BD4F)

>         Client User Name:       -

>         Client Domain:          -

>         Client Logon ID:        -

>         Accesses                SYNCHRONIZE

>                                 ReadData (or ListDirectory)

>

>         Privileges              -

> ---

>

> Looking at the protection of the directory with CACLS gives the

> following:

>

> ---

> C:\>cacls d:\oracle\ora90

> d:\oracle\ora90 NT AUTHORITY\Authenticated Users:(OI)(CI)(special

> access:)

>                                                          READ_CONTROL

>

> FILE_READ_DATA

>                                                          FILE_READ_EA

>                                                          FILE_EXECUTE

>

> FILE_READ_ATTRIBUTES

>

>                 BUILTIN\Administrators:(OI)(CI)F

>                 NT AUTHORITY\SYSTEM:(OI)(CI)F

> ---

>

> Hmm, looks like I should get in as an authenticated user.

>

> Using the SECTOK utility from

> http://home.earthlink.net/~joewarenet/win32/index.html, I can confirm

> that the Command Prompt window I started via RUNS does indeed have the

> appropriate token:

>

> ---

> C:\>sectok

>

> SecTok V01.00.00cpp Joe Richards (joe_at_joeware.net) November 2001

>

> User: S-1-5-21-700192930-1906580503-837300906-1330 -

> OURDOMAIN\TestUser

>

> Group: S-1-1-0 - Everyone

> Group: S-1-5-11 - NT AUTHORITY\Authenticated Users

> Group: S-1-5-21-700192930-1906580503-837300906-1126 - OURDOMAIN\Tech

> Group

> Group: S-1-5-21-700192930-1906580503-837300906-513 - OURDOMAIN\Domain

> Users

> Group: S-1-5-32-545 - BUILTIN\Users

> Group: S-1-5-4 - NT AUTHORITY\INTERACTIVE

> ---

>

> So why can't I see the contents of the Oracle\ora90 directory?

>

> Thanks for any suggestions

>

> -- Brett Hunsaker

Received on Tue Aug 20 2002 - 07:47:51 CDT