For those of you interested in this thread. Here is my conclusion. Some of my initial tests were flawed with files not existing that I thought existed and strange results from executing the procedure. While this is valid from the O/S /usr/bin/ls /u20/app/oracle/* , it doesn't work from within the procedure exec rc('/usr/bin/ls /u20/app/oracle/*') (return code 2). So I thought access was being limited and I had to grant permissions in one case and try to restrict them in another when it is just a caveat that was throwing me off. I re-read the security section from the Java Developers Guide. What I was getting hung up on was Example 5-2 Limiting Permissions on page 5-10. "For example, if you want to allow access to all files within the /tmp directory - except for your password file that exists in that directory - you would grant permission for read and write to all files within /tmp and limit read and write access to the password file" I didn't realize this was for Java access to files, I thought this was limiting all access. When I granted execute on /usr/bin/* the call to the O/S operates under the execute permissions for the /usr/bin pgm and since the files are just parameters to the executables (ls,mv,etc) file security is subverted. I still think this is a major issue that could be better communicated (Like in an Oracle Note) versus being found out by trial and error. Given this I would never grant execute permission on mv, cp, rm, etc from /usr/bin to anyone other than to a dba. - Brian __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian Wisniewski INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).