Re: Using File I/O within SPL

From: John Dorlon <john_at_ezsql.net>
Date: 19 Jun 2001 11:00:59 -0700
Message-ID: <a8097a33.0106191000.64a822ad_at_posting.google.com>

> Within a stored procedure I gather you can use file_utl (I might have
> that backwards or sideways) or essentially Unix file i/o statements.
> These statements are, at times, run by a shadow process which writes the
> output file with Oracle User and Group ids and permission.

Yes, that's true. On HP it is not always the oracle user, though. If you connect from teh server using a BEQ process, (ie, not using the _at_ sign when you connect) then it the security is based on the Unix user ID that you have logged in as.

> I can see instances where this has occurred. What is to stop a
> malicious user from writing their own SPL to overwrite one of these
> output files? Since they are written by the shadow process and not by
> the user id there is no protection for the file.
>

Nothing really. If you want you could only grant permissions on UTL_FILE to the users that really need it, I suppose.

> Evidently this is also not consistent, some of the output files I can
> see have non-oracle user ids on them.

See above. Also, maybe the UTL_FILE just appeneded to the files, and not created them. In this case, the owner of the file would not change.

For a full explanation, take a look at the oracle documation. If you don't have it, go to http://technet.oracle.com. (Note, there is NO www!)

-John Received on Tue Jun 19 2001 - 20:00:59 CEST

This message: [ Message body ]
Next message: Berkovitch Yaakov: "Samples of Dynamic SQL program"
Previous message: Lee Miller: "Re: Using File I/O within SPL"
In reply to Jack Parker: "Using File I/O within SPL"
Next in thread: Jack Parker: "Re: Using File I/O within SPL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message