Re: Using File I/O within SPL
Date: 19 Jun 2001 11:00:59 -0700
Message-ID: <a8097a33.0106191000.64a822ad_at_posting.google.com>
> Within a stored procedure I gather you can use file_utl (I might have
> that backwards or sideways) or essentially Unix file i/o statements.
> These statements are, at times, run by a shadow process which writes the
> output file with Oracle User and Group ids and permission.
Yes, that's true. On HP it is not always the oracle user, though. If you connect from teh server using a BEQ process, (ie, not using the _at_ sign when you connect) then it the security is based on the Unix user ID that you have logged in as.
> I can see instances where this has occurred. What is to stop a
> malicious user from writing their own SPL to overwrite one of these
> output files? Since they are written by the shadow process and not by
> the user id there is no protection for the file.
>
Nothing really. If you want you could only grant permissions on UTL_FILE to the users that really need it, I suppose.
> Evidently this is also not consistent, some of the output files I can
> see have non-oracle user ids on them.
See above. Also, maybe the UTL_FILE just appeneded to the files, and not created them. In this case, the owner of the file would not change.
For a full explanation, take a look at the oracle documation. If you don't have it, go to http://technet.oracle.com. (Note, there is NO www!)
-John Received on Tue Jun 19 2001 - 20:00:59 CEST