For those of you interested in this thread.
Here is my conclusion.
Some of my initial tests were flawed with files not existing that I
thought existed and strange results from executing the procedure.
While this is valid from the O/S /usr/bin/ls /u20/app/oracle/* , it
doesn't work from within the procedure exec rc('/usr/bin/ls
/u20/app/oracle/*') (return code 2). So I thought access was being
limited and I had to grant permissions in one case and try to restrict
them in another when it is just a caveat that was throwing me off.
I re-read the security section from the Java Developers Guide. What I
was getting hung up on was Example 5-2 Limiting Permissions on page
5-10. "For example, if you want to allow access to all files within
the /tmp directory - except for your password file that exists in that
directory - you would grant permission for read and write to all files
within /tmp and limit read and write access to the password file"
I didn't realize this was for Java access to files, I thought this was
limiting all access. When I granted execute on /usr/bin/* the call to
the O/S operates under the execute permissions for the /usr/bin pgm and
since the files are just parameters to the executables (ls,mv,etc) file
security is subverted.
I still think this is a major issue that could be better communicated
(Like in an Oracle Note) versus being found out by trial and error.
Given this I would never grant execute permission on mv, cp, rm, etc
from /usr/bin to anyone other than to a dba.
- Brian
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Brian Wisniewski
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
