Using File I/O within SPL

From: Jack Parker <vze2qjg5_at_verizon.net>
Date: Mon, 18 Jun 2001 22:48:30 GMT
Message-ID: <3B2E8473.5F16AD63_at_verizon.net>

I just ran across this today and I can't believe it - can you guys tell me otherwise or explain the logic...

Oracle 8 (.01?) Solaris 2.6.

Within a stored procedure I gather you can use file_utl (I might have that backwards or sideways) or essentially Unix file i/o statements. These statements are, at times, run by a shadow process which writes the output file with Oracle User and Group ids and permission.

I can see instances where this has occurred. What is to stop a malicious user from writing their own SPL to overwrite one of these output files? Since they are written by the shadow process and not by the user id there is no protection for the file.

Evidently this is also not consistent, some of the output files I can see have non-oracle user ids on them.

Is this the way things are supposed to work or have we set things up incorrectly?
If this is the way things are supposed to work - what have y'all done to cover the security aspect of this "feature". If this is the way things work, why?

cheers
j.

-- 
"You got to make yourself have a good time, 
that's what it is, 
because there ain't nobody else going to do it for you." 
                   - Mail(wo)man

Received on Tue Jun 19 2001 - 00:48:30 CEST

This message: [ Message body ]
Next message: Fredrik Ferm: "Oracle client in NAL-object"
Previous message: supernova: "rollback segment"
Next in thread: Lee Miller: "Re: Using File I/O within SPL"
Reply: Lee Miller: "Re: Using File I/O within SPL"
Reply: John Dorlon: "Re: Using File I/O within SPL"
Reply: Jack Parker: "Re: Using File I/O within SPL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message