8.1.7.1 on Solaris 7
I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern.
Here are the list of privileges I granted/restricted to the owner of the java procedure.
KIND GRANTE TYPE_ TYPE_NAME NAME ACTION
-------- ------ ----- ------------------------------ ------------------------------ -------------------------
GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,writ!
!
e,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete
RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete
GRANT TISSD SYS java.io.FilePermission /usr/bin/* execute
GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor
9 rows selected.
As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck. Each time I added a new restriction I logged out of the tissd account and back in. On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there. I don't understand why unlimited access is being allowed to the files which should be the most restricted. The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either.
This worked, which I didn't think it should.
SQL> exec rc('/usr/bin/ls /u20/app/oracle');
admin
jre
oraInventory
oradata
oui
product
testfile.junk
Return code is 0
And this failed.
SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');
Return code is 2
Doing an ls on the file failed
SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');
Return code is 2
But moving it worked fine. AAUUUGGGHHH!!!
SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk');
Return code is 0
Just your regular ol' IDIOT asking for HELP.
Thanks - Brian
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
