RE: java package to run OS command
Thanks for all the replies...I'm wading through them! One more question...Do I always need to specify the full path of a Unix command e.g /usr/bin/mv rather then just mv That is something I don't currently need to do when using an external procedure. John -Original Message- Sent: 04 December 2003 20:15 To: Multiple recipients of list ORACLE-L No, but it disallows command chains - only single commands are permitted. If you want to run more than one command you have to write it as a shell script, and the full path to that shell script must be approved for the current user in the PRODUCT_PROFILE table. Normally, we will only allow scripts to run from certain controlled directories. But we need to be able to permit commands that we didn't think about when we wrote the procedure, and prefer to do this table driven rather than by changing programs. -Original Message- Sent: Thursday, December 04, 2003 1:39 PM To: Multiple recipients of list ORACLE-L will it catch following command apart from rm -rf ??? find /var/opt/oracle/logs -mtime +1 -type f -name *.trc|perl -nle unlink Probably not ... and that's why it is dangerous ... basically you should have a set of fixed programs that can be called and accept only arguments from calling programs. That will give at-least more control. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 1:29 PM To: Multiple recipients of list ORACLE-L Dick, harsh words, hmmm? Powerful tools can also be powerful weapons in the wrong hands. But don't blame the toolmaker. John, the reason that running an OS command is such a hassle is that it can be horribly destructive to your server. An OS command that runs from a Java Stored Procedure such as the one from www.oracle-base.com that I gave you or the one that Tom Kyte wrote and published on Ask Tom will have all the permissions of the oracle database. Which means that it can be abused to absolutely destroy the database, just as in Dick's example. Doing this with an external procedure as we do is also dangerous. If you use a separate Oracle Net listener for them, instead of LISTENER, and have another user besides the database owner (usually oracle) start that listener, and password protect the listener, you can at least have some control over the permissions, which will be those of the user that starts the listener. People who run Oracle under Windows may be out of luck here - it is harder to get this running under a less privileged account in Windows. We do one more thing for security. We have a special schema in the database called COMMON that owns tables and stored procedures that are usable by all applications. We put the stub program for the external procedure that executes OS commands in a package as a private procedure. The public procedure that calls this private procedure can examine the OS command first. Certain commands, like rm -fr are absolutely forbidden, and raise an exception. Other commands are checked against the PRODUCT_PROFILE table which we set up much as for restrictions for what commands certain users may run in SQL*Plus. If the current user (or schema) does not have the explicit privilege to run that OS command, we raise an exception. You could easily put a similar protective shell around the Java version of the same thing. ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **4 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051
RE: java package to run OS command
Our Unix guys create 'safe' versions of normal utilities and installed them in a special folder. So, we use the full path to invoke them from *that* folder. Some commands get logged to audit files. I'd say, yeah, specify full path, you don't loose much (well some electrons, but who cares). Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Friday, December 05, 2003 6:14 AM To: Multiple recipients of list ORACLE-L Thanks for all the replies...I'm wading through them! One more question...Do I always need to specify the full path of a Unix command e.g /usr/bin/mv rather then just mv That is something I don't currently need to do when using an external procedure. John ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **5 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Title: RE: java package to run OS command Take a look at metalink doc 222079.1 -Original Message- From: John Dunn [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 04, 2003 7:49 AM To: Multiple recipients of list ORACLE-L Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The information contained in this communication, including attachments, is strictly confidential and for the intended use of the addressee only; it may also contain proprietary, price sensitive, or legally privileged information. Notice is hereby given that any disclosure, distribution, dissemination, use, or copying of the information by anyone other than the intended recipient is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender immediately by reply e-mail, delete this communication, and destroy all copies. Corporate Systems, Inc. has taken reasonable precautions to ensure that any attachment to this e-mail has been swept for viruses. We specifically disclaim all liability and will accept no responsibility for damage sustained as a result of software viruses and advise you to carry out your own virus checks before opening any attachment.
RE: java package to run OS command
John, Try this: Process p = Runtime.getRuntime().exec(/usr/bin/df -Pk); Abraham -Original Message- Sent: Thursday, December 04, 2003 7:49 AM To: Multiple recipients of list ORACLE-L I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Guerra, Abraham J INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: RE: java package to run OS command
expert one on one. check asktom.oracle.com might be on there also. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 09:44:29 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: RE: java package to run OS command Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: [EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: [EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Here's another link to a good Java Stored Procedure for this: http://www.oracle-base.com/Articles/8i/ShellCommandsFromPLSQL.asp But the same caveats apply. We're using an external procedure written in C for this instead of Java, and I use a shell that checks PRODUCT_PROFILE for authority to run the command, before it will call the extproc. I'm happy to share source code with anyone interested it doing it this way, but external procedures are a bit harder to set up than Java Stored Procedures and open you to a few security hazards. -Original Message- Sent: Thursday, December 04, 2003 10:09 AM To: Multiple recipients of list ORACLE-L John, it is available on asktom as well, but read the caution Tom explains. Restrict it to only executables you want. Asktom has example. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 9:44 AM To: Multiple recipients of list ORACLE-L Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
John, it is available on asktom as well, but read the caution Tom explains. Restrict it to only executables you want. Asktom has example. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 9:44 AM To: Multiple recipients of list ORACLE-L Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: [EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **5 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: [EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
One I've used in the past was supplied by Tom Kyte : http://asktom.oracle.com/pls/ask/f?p=4950:8:4723489521562622951::NO::F4950_P 8_DISPLAYID,F4950_P8_CRITERIA:952229840241, Cheers, Mike Hately -Original Message- Sent: 04 December 2003 13:49 To: Multiple recipients of list ORACLE-L I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). E mail Disclaimer You agree that you have read and understood this disclaimer and you agree to be bound by its terms. The information contained in this e-mail and any files transmitted with it (if any) are confidential and intended for the addressee only. If you have received this e-mail in error please notify the originator. This e-mail and any attachments have been scanned for certain viruses prior to sending but CE Electric UK Funding Company nor any of its associated companies from whom this e-mail originates shall be liable for any losses as a result of any viruses being passed on. No warranty of any kind is given in respect of any information contained in this e-mail and you should be aware that that it might be incomplete, out of date or incorrect. It is therefore essential that you verify all such information with us before placing any reliance upon it. CE Electric UK Funding Company Lloyds Court 78 Grey Street Newcastle upon Tyne NE1 6AF Registered in England and Wales: Number 3476201 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Hately, Mike (LogicaCMG) INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
yeah, I'm trying to get away from C external procedures ...but java is beginning to look just as much a hassle. Why is running a OS command such hassle? -Original Message- Sent: 04 December 2003 15:40 To: Multiple recipients of list ORACLE-L Here's another link to a good Java Stored Procedure for this: http://www.oracle-base.com/Articles/8i/ShellCommandsFromPLSQL.asp But the same caveats apply. We're using an external procedure written in C for this instead of Java, and I use a shell that checks PRODUCT_PROFILE for authority to run the command, before it will call the extproc. I'm happy to share source code with anyone interested it doing it this way, but external procedures are a bit harder to set up than Java Stored Procedures and open you to a few security hazards. -Original Message- Sent: Thursday, December 04, 2003 10:09 AM To: Multiple recipients of list ORACLE-L John, it is available on asktom as well, but read the caution Tom explains. Restrict it to only executables you want. Asktom has example. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 9:44 AM To: Multiple recipients of list ORACLE-L Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Here is a adoption for running the ls command ... be very careful with suspriv
command, it is very powerful privilege. One could replace ls with rm and then you are
doomed if oracle is running as root.
grant javasyspriv to system
/
create or replace type fileList as table of varchar2(255)
/
create or replace and compile java source named DirList
as
import java.io.*;
import java.sql.*;
import oracle.sql.*;
import oracle.jdbc.driver.*;
public class DirList
{
public static ARRAY getList(String directory)
throws SQLException
{
File path = new File( directory );
Connection conn =
new OracleDriver().defaultConnection();
ArrayDescriptor descriptor =
ArrayDescriptor.createDescriptor( FILELIST, conn );
return new ARRAY( descriptor, conn, path.list() );
}
}
/
create or replace function get_dir_list( p_directory in varchar2 )
return fileList
as language java
name 'DirList.getList( java.lang.String )
return oracle.sql.ARRAY.ARRAY';
/
set serveroutput on
declare
l_files fileList;
begin
dbms_output.enable(100);
l_files := get_dir_list( '/home/oraclei/code' );
for i in 1 .. l_files.count
loop
dbms_output.put_line( l_files(i) );
end loop;
end;
/
Raj
Rajendra dot Jamadagni at nospamespn dot com
All Views expressed in this email are strictly personal.
QOTD: Any clod can have facts, having an opinion is an art !
-Original Message-
Sent: Thursday, December 04, 2003 12:00 PM
To: Multiple recipients of list ORACLE-L
yeah, I'm trying to get away from C external procedures ...but java is
beginning to look just as much a hassle.
Why is running a OS command such hassle?
**
This e-mail message is confidential, intended only for the named recipient(s) above
and may contain information that is privileged, attorney work product or exempt from
disclosure under applicable law. If you have received this message in error, or are
not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000
and delete this e-mail message from your computer, Thank you.
**5
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Jamadagni, Rajendra
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: java package to run OS command
John, I agree and am encouraging the external C procedures since their simpler, and can create log files as well. BTW: Whoever authored the Java procedure on that web page should be shot. I can just see someone passing 'rm -fr $ORACLE_HOME' to it. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Thursday, December 04, 2003 12:00 PM To: Multiple recipients of list ORACLE-L yeah, I'm trying to get away from C external procedures ...but java is beginning to look just as much a hassle. Why is running a OS command such hassle? -Original Message- Sent: 04 December 2003 15:40 To: Multiple recipients of list ORACLE-L Here's another link to a good Java Stored Procedure for this: http://www.oracle-base.com/Articles/8i/ShellCommandsFromPLSQL.asp But the same caveats apply. We're using an external procedure written in C for this instead of Java, and I use a shell that checks PRODUCT_PROFILE for authority to run the command, before it will call the extproc. I'm happy to share source code with anyone interested it doing it this way, but external procedures are a bit harder to set up than Java Stored Procedures and open you to a few security hazards. -Original Message- Sent: Thursday, December 04, 2003 10:09 AM To: Multiple recipients of list ORACLE-L John, it is available on asktom as well, but read the caution Tom explains. Restrict it to only executables you want. Asktom has example. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 9:44 AM To: Multiple recipients of list ORACLE-L Which book is that? -Original Message- Sent: 04 December 2003 14:35 To: Multiple recipients of list ORACLE-L its in tom kytes first book. might be on his webpage. From: John Dunn [EMAIL PROTECTED] Date: 2003/12/04 Thu AM 08:49:25 EST To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: java package to run OS command I need a java package that will allow me to run OS commands(Unix) from a stored procedure. Anyone got one? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Dunn INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Goulet, Dick INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
It really isn't that much of a hassle once you have Java itself setup. I have a problem with the lack of security placed on the Java code from the oracle-base.com article though. What we did (are in the process of doing) is to restrict execute access to a single directory that we create and maintain. This prevents someone from executing something like the following: #!/bin/sh $ORATEMP=/my/oracle/bome/temp /usr/bin/rm -rf $ORATMEP/* We also restrict read/write to /tmp, which works for how we use OS interaction. My $.02, Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA -Original Message- Sent: Thursday, December 04, 2003 11:00 AM To: Multiple recipients of list ORACLE-L yeah, I'm trying to get away from C external procedures ...but java is beginning to look just as much a hassle. Why is running a OS command such hassle? -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Dick, harsh words, hmmm? Powerful tools can also be powerful weapons in the wrong hands. But don't blame the toolmaker. John, the reason that running an OS command is such a hassle is that it can be horribly destructive to your server. An OS command that runs from a Java Stored Procedure such as the one from www.oracle-base.com that I gave you or the one that Tom Kyte wrote and published on Ask Tom will have all the permissions of the oracle database. Which means that it can be abused to absolutely destroy the database, just as in Dick's example. Doing this with an external procedure as we do is also dangerous. If you use a separate Oracle Net listener for them, instead of LISTENER, and have another user besides the database owner (usually oracle) start that listener, and password protect the listener, you can at least have some control over the permissions, which will be those of the user that starts the listener. People who run Oracle under Windows may be out of luck here - it is harder to get this running under a less privileged account in Windows. We do one more thing for security. We have a special schema in the database called COMMON that owns tables and stored procedures that are usable by all applications. We put the stub program for the external procedure that executes OS commands in a package as a private procedure. The public procedure that calls this private procedure can examine the OS command first. Certain commands, like rm -fr are absolutely forbidden, and raise an exception. Other commands are checked against the PRODUCT_PROFILE table which we set up much as for restrictions for what commands certain users may run in SQL*Plus. If the current user (or schema) does not have the explicit privilege to run that OS command, we raise an exception. You could easily put a similar protective shell around the Java version of the same thing. -Original Message- Sent: Thursday, December 04, 2003 12:29 PM To: Multiple recipients of list ORACLE-L John, I agree and am encouraging the external C procedures since their simpler, and can create log files as well. BTW: Whoever authored the Java procedure on that web page should be shot. I can just see someone passing 'rm -fr $ORACLE_HOME' to it. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Thursday, December 04, 2003 12:00 PM To: Multiple recipients of list ORACLE-L yeah, I'm trying to get away from C external procedures ...but java is beginning to look just as much a hassle. Why is running a OS command such hassle? -Original Message- Sent: 04 December 2003 15:40 To: Multiple recipients of list ORACLE-L Here's another link to a good Java Stored Procedure for this: http://www.oracle-base.com/Articles/8i/ShellCommandsFromPLSQL.asp But the same caveats apply. We're using an external procedure written in C for this instead of Java, and I use a shell that checks PRODUCT_PROFILE for authority to run the command, before it will call the extproc. I'm happy to share source code with anyone interested it doing it this way, but external procedures are a bit harder to set up than Java Stored Procedures and open you to a few security hazards. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
will it catch following command apart from rm -rf ??? find /var/opt/oracle/logs -mtime +1 -type f -name *.trc|perl -nle unlink Probably not ... and that's why it is dangerous ... basically you should have a set of fixed programs that can be called and accept only arguments from calling programs. That will give at-least more control. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 1:29 PM To: Multiple recipients of list ORACLE-L Dick, harsh words, hmmm? Powerful tools can also be powerful weapons in the wrong hands. But don't blame the toolmaker. John, the reason that running an OS command is such a hassle is that it can be horribly destructive to your server. An OS command that runs from a Java Stored Procedure such as the one from www.oracle-base.com that I gave you or the one that Tom Kyte wrote and published on Ask Tom will have all the permissions of the oracle database. Which means that it can be abused to absolutely destroy the database, just as in Dick's example. Doing this with an external procedure as we do is also dangerous. If you use a separate Oracle Net listener for them, instead of LISTENER, and have another user besides the database owner (usually oracle) start that listener, and password protect the listener, you can at least have some control over the permissions, which will be those of the user that starts the listener. People who run Oracle under Windows may be out of luck here - it is harder to get this running under a less privileged account in Windows. We do one more thing for security. We have a special schema in the database called COMMON that owns tables and stored procedures that are usable by all applications. We put the stub program for the external procedure that executes OS commands in a package as a private procedure. The public procedure that calls this private procedure can examine the OS command first. Certain commands, like rm -fr are absolutely forbidden, and raise an exception. Other commands are checked against the PRODUCT_PROFILE table which we set up much as for restrictions for what commands certain users may run in SQL*Plus. If the current user (or schema) does not have the explicit privilege to run that OS command, we raise an exception. You could easily put a similar protective shell around the Java version of the same thing. ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **4 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
By default, no user accounts in the Oracle DB have any privs to do anything to the OS. Privs -- including privs to execute, read, and write OS files -- must explicitly be granted (and rightly so!). Do not grant the JAVASYSPRIV or JAVAUSERPRIV to the schema that will own the ExecOS Java code, as these roles have full access to all files on the OS. This will be overridden by OS security, but since the Java will execute as the oracle instance owner, this leaves the oracle software, instance configurations, and datafiles open to damage or erasure. SELECT * FROM DBA_JAVA_POLICY; As an interesting aside, on Unix servers it appears that one only needs the execute java.io.FilePermission to execute a command, where on the filesystem security you need read/execute. A, memories of RMS and proper security. Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA -Original Message- Sent: Thursday, December 04, 2003 12:29 PM To: Multiple recipients of list ORACLE-L Dick, harsh words, hmmm? Powerful tools can also be powerful weapons in the wrong hands. But don't blame the toolmaker. John, the reason that running an OS command is such a hassle is that it can be horribly destructive to your server. An OS command that runs from a Java Stored Procedure such as the one from www.oracle-base.com that I gave you or the one that Tom Kyte wrote and published on Ask Tom will have all the permissions of the oracle database. Which means that it can be abused to absolutely destroy the database, just as in Dick's example. Doing this with an external procedure as we do is also dangerous. If you use a separate Oracle Net listener for them, instead of LISTENER, and have another user besides the database owner (usually oracle) start that listener, and password protect the listener, you can at least have some control over the permissions, which will be those of the user that starts the listener. People who run Oracle under Windows may be out of luck here - it is harder to get this running under a less privileged account in Windows. We do one more thing for security. We have a special schema in the database called COMMON that owns tables and stored procedures that are usable by all applications. We put the stub program for the external procedure that executes OS commands in a package as a private procedure. The public procedure that calls this private procedure can examine the OS command first. Certain commands, like rm -fr are absolutely forbidden, and raise an exception. Other commands are checked against the PRODUCT_PROFILE table which we set up much as for restrictions for what commands certain users may run in SQL*Plus. If the current user (or schema) does not have the explicit privilege to run that OS command, we raise an exception. You could easily put a similar protective shell around the Java version of the same thing. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
Mladen Gogala scribbled on the wall in glitter crayon: That wouldn't do much harm since it's relatively static and probably frequently backed up. Restoring $ORACLE_HOME would be an easy excercise. Now passing datafiles or copying /etc/motd onto /oradata/SID/system01.dbf would cause much more harm. Also, copying doom executable onto $ORACLE_HOME/bin/oracle would take some time to discover. you, sir, are evil and twisted. i LIKE that.;-) remember, all security is a compromise between letting people use stuff and keeping them from messing with it. the best you can do is cut down your exposure as much as possible. -- Bill Shrek Thater ORACLE DBA I'm going to work my ticket if I can... -- Gilwell song [EMAIL PROTECTED] A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. - Douglas Adams -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: java package to run OS command
No, but it disallows command chains - only single commands are permitted. If you want to run more than one command you have to write it as a shell script, and the full path to that shell script must be approved for the current user in the PRODUCT_PROFILE table. Normally, we will only allow scripts to run from certain controlled directories. But we need to be able to permit commands that we didn't think about when we wrote the procedure, and prefer to do this table driven rather than by changing programs. -Original Message- Sent: Thursday, December 04, 2003 1:39 PM To: Multiple recipients of list ORACLE-L will it catch following command apart from rm -rf ??? find /var/opt/oracle/logs -mtime +1 -type f -name *.trc|perl -nle unlink Probably not ... and that's why it is dangerous ... basically you should have a set of fixed programs that can be called and accept only arguments from calling programs. That will give at-least more control. Raj Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art ! -Original Message- Sent: Thursday, December 04, 2003 1:29 PM To: Multiple recipients of list ORACLE-L Dick, harsh words, hmmm? Powerful tools can also be powerful weapons in the wrong hands. But don't blame the toolmaker. John, the reason that running an OS command is such a hassle is that it can be horribly destructive to your server. An OS command that runs from a Java Stored Procedure such as the one from www.oracle-base.com that I gave you or the one that Tom Kyte wrote and published on Ask Tom will have all the permissions of the oracle database. Which means that it can be abused to absolutely destroy the database, just as in Dick's example. Doing this with an external procedure as we do is also dangerous. If you use a separate Oracle Net listener for them, instead of LISTENER, and have another user besides the database owner (usually oracle) start that listener, and password protect the listener, you can at least have some control over the permissions, which will be those of the user that starts the listener. People who run Oracle under Windows may be out of luck here - it is harder to get this running under a less privileged account in Windows. We do one more thing for security. We have a special schema in the database called COMMON that owns tables and stored procedures that are usable by all applications. We put the stub program for the external procedure that executes OS commands in a package as a private procedure. The public procedure that calls this private procedure can examine the OS command first. Certain commands, like rm -fr are absolutely forbidden, and raise an exception. Other commands are checked against the PRODUCT_PROFILE table which we set up much as for restrictions for what commands certain users may run in SQL*Plus. If the current user (or schema) does not have the explicit privilege to run that OS command, we raise an exception. You could easily put a similar protective shell around the Java version of the same thing. ** This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you. **4 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jamadagni, Rajendra INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: John Flack INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB
