Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle stored procedures vs Running from a flat .sql file

Re: Oracle stored procedures vs Running from a flat .sql file

From: Alex Filonov <afilonov_at_yahoo.com>
Date: 7 Jan 2003 12:36:01 -0800
Message-ID: <336da121.0301071236.a84f185@posting.google.com> 





DA Morgan <damorgan_at_exesolutions.com> wrote in message news:<3E1A26B4.80CCB29B_at_exesolutions.com>...


> Alex Filonov wrote:

> 

> > Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs2vhyc3.fsf_at_tiger.rapttech.com.au>...

> > > "Computer Person" <xx_at_xx.com> writes:

> > >

> > > > I am finding that the UTL_FILE security is flawed in major ways which is

> > > > contributing to the problems.

> > >

> > > We have a number of apps which make use of utl_file - I would really

> > > like to know what the security flaws are with it - my experience has

> > > been that utl_file can be a pain, but this is primarily because of its

> > > security restrictions. It would be most useful to know about the

> > > security flaws so that I can determine if our system has security

> > > holes I'm not aware of.

> > >

> >

> > UTL_FILE writes all files as Oracle Database owner. If you want to load

> > files using UTL_FILE, you need to create them first as some other user.

> > That user has to have write access to this directory. Now, simple

> > trick. Make that user to create a soft link to some important file

> > owner by Oracle owner, some executable for example. And make a simple

> > PL/SQL program which will remove this file using UTL_FILE. Sounds

> > impressive enough? This is the very first thing coming to mind, but

> > I'm sure inventive person can produce lots of problems. Not to mention

> > not very smart persons, which can do much more damage...

> >

> > > Tim

> 

> Provided the inventive person works on a server managed by a SA who is clueless about security.

> 

> But then on that subject I can point you to government databases in the US where the passwords

> for SYS and SYSTEM are unchanged from the default.

> 

> Daniel Morgan





This is the main problem with security. Every system provides you with some
tools to achieve it. At the same time every system has security vulnerabilities
and problems. Some of them are fixable, some, like UTL_FILE, just inherent.
And every security feature is designed against inventive people. Otherwise
it would be enough to have some simple documentation saying "Don't do..."
Received on Tue Jan 07 2003 - 14:36:01 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US