Re: dbms_java and file permissions
Thanks for taking a shot Jared. I'm just starting with Java, learnin' as I go. Sorry I didn't post the query initially. It was basically a select * from dba_java_policy wheregrantee = 'TISSD'. External calls to the OS will be as the oracle user which would be hard to limit however it is happening in certain situations and I don't know this for a fact but I believe these calls shouldn't make it to the OS if there are restrictions. I may be off on that but /export/home/oracle is also owned by Oracle and I wasn't allowed to do an ls on that directory unless I had explicitely granted permission to it. Also I can't do an ls on /u20/app/oracle/testjunk.file which is explictly restricted (still owned by Oracle on OS) but I can still ls the directory (even though I tried to restrict access) or even move the file. Strange. Here's the response I got from Metalink forums. Hi. This issue must be handled by an analyst in the Internet Languages group. Unfortunately at this time we do not have technical forum support for Internet Languages within MetaLink. For assistance from Oracle Support on this issue, you will need to log an iTAR. iTAR functionality is accessible via the TARs option on MetaLink Home. I'lltry the TAR approach and see if I get anywhere. Thanks again - Brian Jared Still [EMAIL PROTECTED] wrote: Brian,I've still gotta lot to learn about Java, but I'll takea stab at this.First off, what query did you use to produce the outputbelow?Do external processes run via Java run as Oracle? I'm guessing that they do, but I could be wrong, and don'thave time to test this right now.If so, this will likely put a limit on your abilities to restrict access to directories owned by Oracle.Hope some of this helps.JaredOn Tuesday 05 June 2001 07:41, Brian Wisniewski wrote: 8.1.7.1 on Solaris 7 I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern. Here are the list of ! ! privileges I granted/restricted to the owner of the java procedure. KIND GRANTE TYPE_ TYPE_NAME NAME ACTION -- - -- -- - GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS java.io.FilePermission /usr! ! /bin/* execute GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor 9 rows selected. As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck. Each time I added a new restriction I logged out of the tissd account and back in. On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there. I don't understand why unlimited access is being allowed to the files which should be the most restricted. The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either. This worked, which I didn't think it should. SQL exec rc('/usr/bin/ls /u20/app/oracle'); admin jre oraInventory oradata oui product testjunk.file Return code is 0 And this failed. SQL exec rc('/usr/bin/ls /u20/app/oracle/*'); Return code is 2 Doing an ls on the file failed SQL exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file'); Return code is 2 But moving it worked fine. AAUUUGGGHHH!!! SQL exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk'); Return code is 0 Just your regular ol' IDIOT asking for HELP. Thanks - BrianDo You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
Re: dbms_java and file permissions
Brian, I've still gotta lot to learn about Java, but I'll take a stab at this. First off, what query did you use to produce the output below? Do external processes run via Java run as Oracle? I'm guessing that they do, but I could be wrong, and don't have time to test this right now. If so, this will likely put a limit on your abilities to restrict access to directories owned by Oracle. Hope some of this helps. Jared On Tuesday 05 June 2001 07:41, Brian Wisniewski wrote: 8.1.7.1 on Solaris 7 I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern. Here are the list of privileges I granted/restricted to the owner of the java procedure. KIND GRANTE TYPE_ TYPE_NAME NAME ACTION -- - -- -- - GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS java.io.FilePermission /usr/bin/* execute GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor 9 rows selected. As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck. Each time I added a new restriction I logged out of the tissd account and back in. On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there. I don't understand why unlimited access is being allowed to the files which should be the most restricted. The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either. This worked, which I didn't think it should. SQL exec rc('/usr/bin/ls /u20/app/oracle'); admin jre oraInventory oradata oui product testfile.junk Return code is 0 And this failed. SQL exec rc('/usr/bin/ls /u20/app/oracle/*'); Return code is 2 Doing an ls on the file failed SQL exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file'); Return code is 2 But moving it worked fine. AAUUUGGGHHH!!! SQL exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk'); Return code is 0 Just your regular ol' IDIOT asking for HELP. Thanks - Brian - Do You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail. Content-Type: text/html; charset=us-ascii; name=Attachment: 1 Content-Transfer-Encoding: 7bit Content-Description: -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).