Re: dbms_java and file permissions
Thanks for taking a shot Jared. I'm just starting with Java, learnin' as I go.
Sorry I didn't post the query initially. It was basically a select * from dba_java_policy wheregrantee = 'TISSD'.
External calls to the OS will be as the oracle user which would be hard to limit however it is happening in certain situations and I don't know this for a fact but I believe these calls shouldn't make it to the OS if there are restrictions. I may be off on that but /export/home/oracle is also owned by Oracle and I wasn't allowed to do an ls on that directory unless I had explicitely granted permission to it. Also I can't do an ls on /u20/app/oracle/testjunk.file which is explictly restricted (still owned by Oracle on OS) but I can still ls the directory (even though I tried to restrict access) or even move the file. Strange.
Here's the response I got from Metalink forums.
Hi. This issue must be handled by an analyst in the Internet Languages group. Unfortunately at this time we do not have technical forum support for Internet Languages within MetaLink. For assistance from Oracle Support on this issue, you will need to log an iTAR. iTAR functionality is accessible via the TARs option on MetaLink Home.
I'lltry the TAR approach and see if I get anywhere.
Thanks again - Brian
Jared Still [EMAIL PROTECTED] wrote:
Brian,I've still gotta lot to learn about Java, but I'll takea stab at this.First off, what query did you use to produce the outputbelow?Do external processes run via Java run as Oracle? I'm guessing that they do, but I could be wrong, and don'thave time to test this right now.If so, this will likely put a limit on your abilities to restrict access to directories owned by Oracle.Hope some of this helps.JaredOn Tuesday 05 June 2001 07:41, Brian Wisniewski wrote: 8.1.7.1 on Solaris 7 I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern. Here are the list of !
!
privileges I granted/restricted to the owner of the java procedure. KIND GRANTE TYPE_ TYPE_NAME NAME ACTION -- - -- -- - GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS java.io.FilePermission /usr!
!
/bin/* execute GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor 9 rows selected. As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck. Each time I added a new restriction I logged out of the tissd account and back in. On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there. I don't understand why unlimited access is being allowed to the files which should be the most restricted. The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either. This worked, which I didn't think it should. SQL exec rc('/usr/bin/ls /u20/app/oracle'); admin jre oraInventory oradata oui product testjunk.file Return code is 0 And this failed. SQL exec rc('/usr/bin/ls /u20/app/oracle/*'); Return code is 2 Doing an ls on the file failed SQL exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file'); Return code is 2 But moving it worked fine. AAUUUGGGHHH!!! SQL exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk'); Return code is 0 Just your regular ol' IDIOT asking for HELP. Thanks - BrianDo You Yahoo!?
Yahoo! Mail Personal Address -
Get email at your own domain with Yahoo! Mail.
Re: dbms_java and file permissions
Brian,
I've still gotta lot to learn about Java, but I'll take
a stab at this.
First off, what query did you use to produce the output
below?
Do external processes run via Java run as Oracle? I'm
guessing that they do, but I could be wrong, and don't
have time to test this right now.
If so, this will likely put a limit on your abilities to
restrict access to directories owned by Oracle.
Hope some of this helps.
Jared
On Tuesday 05 June 2001 07:41, Brian Wisniewski wrote:
8.1.7.1 on Solaris 7
I created a small java procedure to be able to call O/S commands from
within the database (using Ask Tom's example). Works a little too well
because I can't seem to restrict access to the oracle directories which is
obviously a major concern.
Here are the list of privileges I granted/restricted to the owner of the
java procedure.
KIND GRANTE TYPE_ TYPE_NAME NAME ACTION
-- - --
-- - GRANT TISSD SYS
java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT
TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/
read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
/u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS
java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT
TISSD SYS java.io.FilePermission /u20/app/oracle/test*
read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
/u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS
java.io.FilePermission /usr/bin/* execute
GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor
9 rows selected.
As you can see I tried numerous ways to restrict access to /u20/app/oracle
files and had very limited luck. Each time I added a new restriction I
logged out of the tissd account and back in. On the flip side I had to
grant access to /export/home/oracle/bsw/scripts/java to allow files to be
read there. I don't understand why unlimited access is being allowed to
the files which should be the most restricted. The tissd user was NOT
granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the
8.1.7 Java Developers Guide Chapter 5 on security and haven't found the
answer there either.
This worked, which I didn't think it should.
SQL exec rc('/usr/bin/ls /u20/app/oracle');
admin
jre
oraInventory
oradata
oui
product
testfile.junk
Return code is 0
And this failed.
SQL exec rc('/usr/bin/ls /u20/app/oracle/*');
Return code is 2
Doing an ls on the file failed
SQL exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');
Return code is 2
But moving it worked fine. AAUUUGGGHHH!!!
SQL exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file
/u20/app/oracle/testfile.junk'); Return code is 0
Just your regular ol' IDIOT asking for HELP.
Thanks - Brian
-
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo!
Mail.
Content-Type: text/html; charset=us-ascii; name=Attachment: 1
Content-Transfer-Encoding: 7bit
Content-Description:
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jared Still
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
