Re: Using File I/O within SPL

Thanks (both of you), I did check TFM which is where I figured this all out from. Figured I had to have misinterpreted it. Guess not. Didn't realize that UTL_FILE had it's own permissions to be granted or revoked - have to play with that.

cheers
j.

John Dorlon wrote:
>
> > Within a stored procedure I gather you can use file_utl (I might have
> > that backwards or sideways) or essentially Unix file i/o statements.
> > These statements are, at times, run by a shadow process which writes the
> > output file with Oracle User and Group ids and permission.
>
> Yes, that's true. On HP it is not always the oracle user, though. If you
> connect from teh server using a BEQ process, (ie, not using the _at_ sign
> when you connect) then it the security is based on the Unix user ID that
> you have logged in as.
>
> > I can see instances where this has occurred. What is to stop a
> > malicious user from writing their own SPL to overwrite one of these
> > output files? Since they are written by the shadow process and not by
> > the user id there is no protection for the file.
> >
>
> Nothing really. If you want you could only grant permissions on UTL_FILE
> to the users that really need it, I suppose.
>
> > Evidently this is also not consistent, some of the output files I can
> > see have non-oracle user ids on them.
>
> See above. Also, maybe the UTL_FILE just appeneded to the files, and
> not created them. In this case, the owner of the file would not change.
>
> For a full explanation, take a look at the oracle documation. If you don't
> have it, go to http://technet.oracle.com. (Note, there is NO www!)
>
> -John
 

-- 
"You got to make yourself have a good time, 
that's what it is, 
because there ain't nobody else going to do it for you." 
                   - Mail(wo)man