SEO

On Oracle 8i, by default, java permissions can only be granted by SYS it
seems - what prviliege or role wouldi have to grant to a user to enable
that user to be able to grant java permissions?

If it makes any difference, the specific grants I wish to be able to
make from the non-SYS user is

java.io.FilePermission

and I want the user to be able to grant this permission to itself.

Is this doable?

cheers


--

jeremy

Jeremy wrote:

> On Oracle 8i, by default, java permissions can only be granted by SYS it
> seems - what prviliege or role wouldi have to grant to a user to enable
> that user to be able to grant java permissions?
>
> If it makes any difference, the specific grants I wish to be able to
> make from the non-SYS user is
>
> java.io.FilePermission
>
> and I want the user to be able to grant this permission to itself.
>
> Is this doable?
>
> cheers
>
>
HUH?
>I want the user to be able to grant this permission to itself
This statement make little to no sense.

"permissions" are granted by the schema (owner) on objects
they own to either ROLES or other schemas.

GRANT EXECUTE ON java.io.FilePermission TO <SCHEMA_NAME OR ROLE>;

In article <dAEyc.63309$tI2.44392@fed1read07>, anacedent says...
> Jeremy wrote:
>
> > On Oracle 8i, by default, java permissions can only be granted by SYS it
> > seems - what prviliege or role wouldi have to grant to a user to enable
> > that user to be able to grant java permissions?
> >
> > If it makes any difference, the specific grants I wish to be able to
> > make from the non-SYS user is
> >
> > java.io.FilePermission
> >
> > and I want the user to be able to grant this permission to itself.
> >
> > Is this doable?
> >
> > cheers
> >
> >
> HUH?
> >I want the user to be able to grant this permission to itself
> This statement make little to no sense.
>
> "permissions" are granted by the schema (owner) on objects
> they own to either ROLES or other schemas.
>
> GRANT EXECUTE ON java.io.FilePermission TO <SCHEMA_NAME OR ROLE>;
>


This doesn't solve the problem - if I use what you wrote above I get

12:24:53 SQL> GRANT EXECUTE ON java.io.FilePermission TO wd;
GRANT EXECUTE ON java.io.FilePermission TO wd
*
ERROR at line 1:
ORA-00905: missing keyword

(wd is a database user)

The problem is that we have a process which creates a new directory on
the server and we have a java stored procedure that needs to be able to
write all files in the new directory. At the moment we issue from SYS by
hand:

begin
dbms_java.grant_permission
('WD',
'java.io.FilePermission',
'/usr/documents/newdocdir/*',
'read,write,execute,delete');
end;
/


Until we issue this, the jsp cannot write a file into the directory.
What I want to achieve is that the above dbms_java.grant_permission call
be made by the user 'wd'.

If I grant execute on dbms_java to wd, when I run the procedure which
uses dbms_java I get:


ORA-29532: Java call terminated by uncaught Java exception:
java.lang.SecurityException: policy table update
SYS:java.io.FilePermission, /usr/documents/newdocdir/*
ORA-06512: at "SYS.DBMS_JAVA", line 0
ORA-06512: at "WD.WD_SC_BO", line 7516
ORA-06512: at "WD.WD_SC_BO", line 40
ORA-06512: at line 10

Any help appreciated with this!

--

jeremy

Hi Jeremy,

You have a number of possibilities. You could grant the role JAVASYSPRIV
which has the rights to read,write,execute or delete any file to the
user. Or you could grant the user JAVA_ADMIN role which will allow him
to grant his own file permissions via the DBMS_JAVA package as this role
has the rights to grant this privilege. Both of these methods are not
secure though. The first as suggested will allow your users to access
any file which is not ideal. The second will allow the user to grant any
java privilege (actually not all as there are a few extras that SYS has)
but essentially anything.

The Java security is separate from normal database privileges and roles.
The privileges are stored in the Java policy table and to be able to
grant a Java privilege you need to have privilege to alter the policy
table. This is granted through the dbms_java package with the
grant_policy_permission procedure. If we recreate your error and then
fix it by allowing SCOTT in my case the privilege to grant
java.io.FilePermission to any other user including himself.

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> connect scott/tiger
Connected.
SQL> begin
2 dbms_java.grant_permission('SCOTT','java.io.FilePe rmission','C:\TE
MP','read,write,execute,dele
te');
3 end;
4 /
begin
*
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.SecurityException: policy table update
SYS:java.io.FilePermission,
C:\TEMP
ORA-06512: at "SYS.DBMS_JAVA", line 0
ORA-06512: at line 2


SQL> connect sys/change_on_install@sans as sysdba
Connected.

SQL> call dbms_java.grant_policy_permission('SCOTT','SYS','j ava.io.FileP
ermission','*');

Call completed.

SQL> connect scott/tiger
Connected.
SQL> begin
2 dbms_java.grant_permission('SCOTT','java.io.FilePe rmission','C:\TE
MP','read,write,execute,dele
te');
3 end;
4 /

PL/SQL procedure successfully completed.

SQL>

You will note that in the call to grant_policy_permission we have to
specify the SYS schema in the permission schema parameter. This is
important as the privilege can only get grant on from a schema that
loads the privilege.

Again this solution is not secure as you can probably guess, the user
SCOTT can now grant any file permission to himself or any other user.
Java permissions are not like Oracle. You cannot grant access to
/etc/passwd to SCOTT with admin rights so he can grant it to another
user. You need to grant the right to modify the policy table for a
specific Java privilege, in this case java.io.FilePermision. You can
restrict this by specifying read only for instance instead of "*".

Finally you could simply grant the user rights to the directory tree
instead of all the files in a particular directory. By modifying your
example you would do:

begin
dbms_java.grant_permission
('WD',
'java.io.FilePermission',
'/usr/documents/newdocdir/-',
'read,write,execute,delete');
end;
/

note the use of "-" instead of "*" which will give access to all files
recursively through all sub-directories. Maybe you could simply grant
access to the base directory at the start??

hope this helps

Kind regards

Pete
--
Pete Finnigan
emailete@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

In article <iSSEeUAR2VzARxep@peterfinnigan.demon.co.uk>, Pete Finnigan
says...
>
> note the use of "-" instead of "*" which will give access to all files
> recursively through all sub-directories. Maybe you could simply grant
> access to the base directory at the start??
>

Pete, thanks for al the above - nut in fact his last nugget is actually
all I needed - so we grant the privilege once for the topmost directory
and as new directories are added, the privilege is automatically there.
Perfect.

thanks
--

jeremy