SOLVED: dbms_java and file permissions
For those of you interested in this thread.
Here is my conclusion.
Some of my initial tests were flawed with files not existing that I
thought existed and strange results from executing the procedure.
While this is valid from the O/S /usr/bin/ls /u20/app/oracle/* , it
doesn't work from within the procedure exec rc('/usr/bin/ls
/u20/app/oracle/*') (return code 2). So I thought access was being
limited and I had to grant permissions in one case and try to restrict
them in another when it is just a caveat that was throwing me off.
I re-read the security section from the Java Developers Guide. What I
was getting hung up on was Example 5-2 Limiting Permissions on page
5-10. "For example, if you want to allow access to all files within
the /tmp directory - except for your password file that exists in that
directory - you would grant permission for read and write to all files
within /tmp and limit read and write access to the password file"
I didn't realize this was for Java access to files, I thought this was
limiting all access. When I granted execute on /usr/bin/* the call to
the O/S operates under the execute permissions for the /usr/bin pgm and
since the files are just parameters to the executables (ls,mv,etc) file
security is subverted.
I still think this is a major issue that could be better communicated
(Like in an Oracle Note) versus being found out by trial and error.
Given this I would never grant execute permission on mv, cp, rm, etc
from /usr/bin to anyone other than to a dba.
- Brian
__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Brian Wisniewski
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Re: dbms_java and file permissions
Thanks for taking a shot Jared. I'm just starting with Java, learnin' as I go.
Sorry I didn't post the query initially. It was basically a select * from dba_java_policy where grantee = 'TISSD'.
External calls to the OS will be as the oracle user which would be hard to limit however it is happening in certain situations and I don't know this for a fact but I believe these calls shouldn't make it to the OS if there are restrictions. I may be off on that but /export/home/oracle is also owned by Oracle and I wasn't allowed to do an ls on that directory unless I had explicitely granted permission to it. Also I can't do an ls on /u20/app/oracle/testjunk.file which is explictly restricted (still owned by Oracle on OS) but I can still ls the directory (even though I tried to restrict access) or even move the file. Strange.
Here's the response I got from Metalink forums.
Hi. This issue must be handled by an analyst in the Internet Languages group. Unfortunately at this time we do not have technical forum support for Internet Languages within MetaLink. For assistance from Oracle Support on this issue, you will need to log an iTAR. iTAR functionality is accessible via the TARs option on MetaLink Home.
I'll try the TAR approach and see if I get anywhere.
Thanks again - Brian
Jared Still <[EMAIL PROTECTED]> wrote:
Brian,I've still gotta lot to learn about Java, but I'll takea stab at this.First off, what query did you use to produce the outputbelow?Do external processes run via Java run as Oracle? I'm guessing that they do, but I could be wrong, and don'thave time to test this right now.If so, this will likely put a limit on your abilities to restrict access to directories owned by Oracle.Hope some of this helps.JaredOn Tuesday 05 June 2001 07:41, Brian Wisniewski wrote:> 8.1.7.1 on Solaris 7>> I created a small java procedure to be able to call O/S commands from> within the database (using Ask Tom's example). Works a little too well> because I can't seem to restrict access to the oracle directories which is> obviously a major concern.>> Here are the list of !
!
privileges I granted/restricted to the owner of the> java procedure.>> KIND GRANTE TYPE_ TYPE_NAME NAME ACTION> -- - --> -- - GRANT TISSD SYS> java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT> TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete> RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission> /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS> java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT> TISSD SYS java.io.FilePermission /u20/app/oracle/test*> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission> /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS> java.io.FilePermission /usr!
!
/bin/* execute> GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor>> 9 rows selected.>> As you can see I tried numerous ways to restrict access to /u20/app/oracle> files and had very limited luck. Each time I added a new restriction I> logged out of the tissd account and back in. On the flip side I had to> grant access to /export/home/oracle/bsw/scripts/java to allow files to be> read there. I don't understand why unlimited access is being allowed to> the files which should be the most restricted. The tissd user was NOT> granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the> 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the> answer there either.>> This worked, which I didn't think it should.>> SQL> exec rc('/usr/bin/ls /u20/app/oracle');> admin> jre> oraInventory> oradata> oui> product> testjunk.file> Return code is 0>> And this failed.>> SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');> Return code is 2>> Doing an ls on the file failed>> SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');> Return code is 2>> But moving it worked fine. AAUUUGGGHHH!!!>> SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file> /u20/app/oracle/testfile.junk'); Return code is 0>> Just your regular ol' IDIOT asking for HELP.>> Thanks - Brian>Do You Yahoo!?
Yahoo! Mail Personal Address -
Get email at your own domain with Yahoo! Mail.
Re: dbms_java and file permissions
Brian,
I've still gotta lot to learn about Java, but I'll take
a stab at this.
First off, what query did you use to produce the output
below?
Do external processes run via Java run as Oracle? I'm
guessing that they do, but I could be wrong, and don't
have time to test this right now.
If so, this will likely put a limit on your abilities to
restrict access to directories owned by Oracle.
Hope some of this helps.
Jared
On Tuesday 05 June 2001 07:41, Brian Wisniewski wrote:
> 8.1.7.1 on Solaris 7
>
> I created a small java procedure to be able to call O/S commands from
> within the database (using Ask Tom's example). Works a little too well
> because I can't seem to restrict access to the oracle directories which is
> obviously a major concern.
>
> Here are the list of privileges I granted/restricted to the owner of the
> java procedure.
>
> KIND GRANTE TYPE_ TYPE_NAME NAME ACTION
> -- - --
> -- - GRANT TISSD SYS
> java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete
> RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS
> java.io.FilePermission /u20/app/oracle/- read,write,execute,delete RESTRICT
> TISSD SYS java.io.FilePermission /u20/app/oracle/test*
> read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission
> /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS
> java.io.FilePermission /usr/bin/* execute
> GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor
>
> 9 rows selected.
>
> As you can see I tried numerous ways to restrict access to /u20/app/oracle
> files and had very limited luck. Each time I added a new restriction I
> logged out of the tissd account and back in. On the flip side I had to
> grant access to /export/home/oracle/bsw/scripts/java to allow files to be
> read there. I don't understand why unlimited access is being allowed to
> the files which should be the most restricted. The tissd user was NOT
> granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the
> 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the
> answer there either.
>
> This worked, which I didn't think it should.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle');
> admin
> jre
> oraInventory
> oradata
> oui
> product
> testfile.junk
> Return code is 0
>
> And this failed.
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');
> Return code is 2
>
> Doing an ls on the file failed
>
> SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');
> Return code is 2
>
> But moving it worked fine. AAUUUGGGHHH!!!
>
> SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file
> /u20/app/oracle/testfile.junk'); Return code is 0
>
>
>
> Just your regular ol' IDIOT asking for HELP.
>
>
>
> Thanks - Brian
>
>
>
>
>
> -
> Do You Yahoo!?
> Yahoo! Mail Personal Address - Get email at your own domain with Yahoo!
> Mail.
Content-Type: text/html; charset="us-ascii"; name="Attachment: 1"
Content-Transfer-Encoding: 7bit
Content-Description:
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jared Still
INET: [EMAIL PROTECTED]
Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051
San Diego, California-- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
dbms_java and file permissions
8.1.7.1 on Solaris 7 I created a small java procedure to be able to call O/S commands from within the database (using Ask Tom's example). Works a little too well because I can't seem to restrict access to the oracle directories which is obviously a major concern. Here are the list of privileges I granted/restricted to the owner of the java procedure. KIND GRANTE TYPE_ TYPE_NAME NAME ACTION -- - -- -- - GRANT TISSD SYS java.io.FilePermission /export/home/oracle/bsw/scripts/java read RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/ read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/- read,writ!
!
e,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/test* read,write,execute,delete RESTRICT TISSD SYS java.io.FilePermission /u20/app/oracle/testjunk.file read,write,execute,delete GRANT TISSD SYS java.io.FilePermission /usr/bin/* execute GRANT TISSD SYS java.lang.RuntimePermission * writeFileDescriptor 9 rows selected.
As you can see I tried numerous ways to restrict access to /u20/app/oracle files and had very limited luck. Each time I added a new restriction I logged out of the tissd account and back in. On the flip side I had to grant access to /export/home/oracle/bsw/scripts/java to allow files to be read there. I don't understand why unlimited access is being allowed to the files which should be the most restricted. The tissd user was NOT granted DBA privs nor the JAVASYSPRIV or JAVAUSERPRIV roles. I've read the 8.1.7 Java Developers Guide Chapter 5 on security and haven't found the answer there either.
This worked, which I didn't think it should.
SQL> exec rc('/usr/bin/ls /u20/app/oracle');adminjreoraInventoryoradataouiproducttestfile.junkReturn code is 0
And this failed.
SQL> exec rc('/usr/bin/ls /u20/app/oracle/*');Return code is 2
Doing an ls on the file failed
SQL> exec rc('/usr/bin/ls /u20/app/oracle/testjunk.file');Return code is 2
But moving it worked fine. AAUUUGGGHHH!!!
SQL> exec rc('/usr/bin/mv /u20/app/oracle/testjunk.file /u20/app/oracle/testfile.junk');Return code is 0
Just your regular ol' IDIOT asking for HELP.
Thanks - Brian
Do You Yahoo!?
Yahoo! Mail Personal Address -
Get email at your own domain with Yahoo! Mail.
