Security issue with DBFS
- From: Kamus <kamusis@xxxxxxxxx>
- To: oracle_l <Oracle-L@xxxxxxxxxxxxx>
- Date: Thu, 11 Aug 2011 23:19:14 +0800
Anyone has expirience about DBFS? I'm trying use this 11gR2 new feature for one
of my product system, which will finally hold over 400T picture BLOBs.
I'm doing some test for DBFS security and found a problem (bug?)
I use oracle user create a directory.
$ dbfs_client dbfs@localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir1
then use grid user create another directory.
$ dbfs_client dbfs@localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir2
after that I list dirs and all looks good. both dir's privlige is 755, which
should means only user can has WRITE permission.
$ dbfs_client dbfs@localhost:1521/orcl --command ls -l dbfs:/dbfs_area
Password:
drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2
drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1
But I try to use oracle user to copy file into 2 directories, both succeed.
huh? Do I missed something?
[oracle@dbserver-oel ~]$ dbfs_client dbfs@localhost:1521/orcl --command cp
test.txt dbfs:/dbfs_area/dir1/
Password:
test.txt -> dbfs:/dbfs_area/dir1/test.txt
[oracle@dbserver-oel ~]$ dbfs_client dbfs@localhost:1521/orcl --command cp
test.txt dbfs:/dbfs_area/dir2/
Password:
test.txt -> dbfs:/dbfs_area/dir2/test.txt
$ dbfs_client dbfs@localhost:1521/orcl --command ls -l -R dbfs:/dbfs_area
Password:
drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2
-rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir2/test.txt
drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1
-rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir1/test.txt
Any feedback will be appreciated.
--
Zhang Leyi (Kamus) <kamusis@xxxxxxxxx>
Visit my blog for more: http://www.dbform.com
Join ACOUG: http://www.acoug.org
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
--
//www.freelists.org/webpage/oracle-l
Other related posts:
