| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Java permissions
Hi Jeremy,
You have a number of possibilities. You could grant the role JAVASYSPRIV which has the rights to read,write,execute or delete any file to the user. Or you could grant the user JAVA_ADMIN role which will allow him to grant his own file permissions via the DBMS_JAVA package as this role has the rights to grant this privilege. Both of these methods are not secure though. The first as suggested will allow your users to access any file which is not ideal. The second will allow the user to grant any java privilege (actually not all as there are a few extras that SYS has) but essentially anything.
The Java security is separate from normal database privileges and roles. The privileges are stored in the Java policy table and to be able to grant a Java privilege you need to have privilege to alter the policy table. This is granted through the dbms_java package with the grant_policy_permission procedure. If we recreate your error and then fix it by allowing SCOTT in my case the privilege to grant java.io.FilePermission to any other user including himself.
Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
SQL>
SQL> connect scott/tiger
Connected.
SQL> begin
2 dbms_java.grant_permission('SCOTT','java.io.FilePermission','C:\TE
MP','read,write,execute,dele
te');
3 end;
4 /
begin
*
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.SecurityException: policy table update
SYS:java.io.FilePermission,
C:\TEMP
ORA-06512: at "SYS.DBMS_JAVA", line 0
ORA-06512: at line 2
SQL> connect sys/change_on_install_at_sans as sysdba Connected.
SQL> call dbms_java.grant_policy_permission('SCOTT','SYS','java.io.FileP ermission','*');
Call completed.
SQL> connect scott/tiger
Connected.
SQL> begin
2 dbms_java.grant_permission('SCOTT','java.io.FilePermission','C:\TE
MP','read,write,execute,dele
te');
3 end;
4 /
PL/SQL procedure successfully completed.
SQL> You will note that in the call to grant_policy_permission we have to specify the SYS schema in the permission schema parameter. This is important as the privilege can only get grant on from a schema that loads the privilege.
Again this solution is not secure as you can probably guess, the user
SCOTT can now grant any file permission to himself or any other user.
Java permissions are not like Oracle. You cannot grant access to
/etc/passwd to SCOTT with admin rights so he can grant it to another
user. You need to grant the right to modify the policy table for a
specific Java privilege, in this case java.io.FilePermision. You can
restrict this by specifying read only for instance instead of "*".
Finally you could simply grant the user rights to the directory tree instead of all the files in a particular directory. By modifying your example you would do:
begin
dbms_java.grant_permission
('WD',
'java.io.FilePermission',
'/usr/documents/newdocdir/-',
'read,write,execute,delete');
end;
note the use of "-" instead of "*" which will give access to all files recursively through all sub-directories. Maybe you could simply grant access to the base directory at the start??
hope this helps
Kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Mon Jun 14 2004 - 03:10:57 CDT
 |
 |