Thanks for taking a shot Jared. I'm just starting with Java, learnin' as I go.
Sorry I didn't post the query initially. It was basically a select * from dba_java_policy where grantee = 'TISSD'.
External calls to the OS will be as the oracle user which would be hard to limit however it is happening in certain situations and I don't know this for a fact but I believe these calls shouldn't make it to the OS if there are restrictions. I may be off on that but /export/home/oracle is also owned by Oracle and I wasn't allowed to do an ls on that directory unless I had explicitely granted permission to it. Also I can't do an ls on /u20/app/oracle/testjunk.file which is explictly restricted (still owned by Oracle on OS) but I can still ls the directory (even though I tried to restrict access) or even move the file. Strange.
Here's the response I got from Metalink forums.
Hi. This issue must be handled by an analyst in the Internet Languages group. Unfortunately at this time we do not have technical forum support for Internet Languages within MetaLink. For assistance from Oracle Support on this issue, you will need to log an iTAR. iTAR functionality is accessible via the TARs option on MetaLink Home.
I'll try the TAR approach and see if I get anywhere.
Thanks again - Brian
Jared Still <[EMAIL PROTECTED]> wrote:
Brian,
I've still gotta lot to learn about Java, but I'll take
a stab at this.
First off, what query did you use to produce the output
below?
Do external processes run via Java run as Oracle? I'm
guessing that they do, but I could be wrong, and don't
have time to test this right now.
If so, this will likely put a limit on your abilities to
restrict access to directories owned by Oracle.
Hope some of this helps.
Jared
On Tuesday 05 June 2001 07:41, Brian Wisniewski wrote:
> 8.1.7.1 on Solaris 7
>
> I created a small java procedure to be able to call O/S commands from
> within the database (using Ask Tom's example). Works a little too well
> because I can't seem to restrict access to the oracle directories which is
> obviously a major concern.
>
> Here are the list of ! ! privileges I granted/restricted to the owner of the
> java procedure.
>
> KIND GRANTE TYPE_ TYPE_NAME NAME ACTION
> -------- ------ ----- ------------------------------
> ------------------------------ ------------------------- GRANT TISSD SYS
> java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete
> RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS
> java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle/test*
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS
> java.io.FilePermission /usr! ! /bin/* execute
> GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor
>
> 9 rows selected.
>
> As you can see I tried numerous ways to restrict access to /u20/app/oracle
> files and had very limited luck. Each time I added a new restriction I
> logged out of the tissd account and back in. On the flip side I had to
> grant access to /export/home/oracle/bsw/scripts/java to allow files to be
> read there. I don't understand why unlimited access is being allowed to
> the files which should be the most restricted. The tissd user was NOT
> granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the
> 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the
> answer there either.
>
> This worked, which I didn't think it should.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle');
> admin
> jre
> oraInventory
> oradata> oui
> product
> testjunk.file
> Return code is 0
>
> And this failed.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');
> Return code is 2
>
> Doing an ls on the file failed
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');
> Return code is 2
>
> But moving it worked fine. AAUUUGGGHHH!!!
>
> SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file
> /u20/app/oracle/testfile.junk'); Return code is 0
>
> Just your regular ol' IDIOT asking for HELP.
>
> Thanks - Brian
>
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
