Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> SOLVED: dbms_java and file permissions

SOLVED: dbms_java and file permissions

From: Brian Wisniewski <brian_wisniewski_at_yahoo.com>
Date: Thu, 07 Jun 2001 09:57:30 -0700
Message-ID: <F001.00320767.20010607084705@fatcity.com> 






For those of you interested in this thread.  



Here is my conclusion.



Some of my initial tests were flawed with files not existing that I
thought existed and strange results from executing the procedure. 
While this is valid from the O/S /usr/bin/ls /u20/app/oracle/* , it
doesn't work from within the procedure exec rc('/usr/bin/ls
/u20/app/oracle/*') (return code 2).  So I thought access was being
limited and I had to grant permissions in one case and try to restrict
them in another when it is just a caveat that was throwing me off.



I re-read the security section from the Java Developers Guide.  What I
was getting hung up on was Example 5-2 Limiting Permissions on page
5-10.  "For example, if you want to allow access to all files within
the /tmp directory - except for your password file that exists in that
directory - you would grant permission for read and write to all files
within /tmp and limit read and write access to the password file"



I didn't realize this was for Java access to files, I thought this was
limiting all access.  When I granted execute on /usr/bin/* the call to
the O/S operates under the execute permissions for the /usr/bin pgm and
since the files are just parameters to the executables (ls,mv,etc) file
security is subverted.



I still think this is a major issue that could be better communicated


(Like in an Oracle Note) versus being found out by trial and error. 




Given this I would never grant execute permission on mv, cp, rm, etc
from /usr/bin to anyone other than to a dba.






Do You Yahoo!?


Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Brian Wisniewski
  INET: brian_wisniewski_at_yahoo.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).


Received on Thu Jun 07 2001 - 11:57:30 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US