Re: Security issue with DBFS

From: Kamus <kamusis@xxxxxxxxx>
To: oracle_l <Oracle-L@xxxxxxxxxxxxx>
Date: Thu, 11 Aug 2011 23:42:14 +0800
I found if I mount this DBFS area into a filesystem, and use cp command instead 
of dbfs_client, the permission is OK.

$ id
uid=1101(oracle) gid=1000(oinstall) groups=1000(oinstall),1200(dba),1300(asmdba)

$ ls -l /mnt/dbfs/dbfs_area/
total 0
drwxr-xr-x 2 oracle oinstall 0 Aug 11 23:38 dir1
drwxr-xr-x 2 grid oinstall 0 Aug 11 22:41 dir2

$ cp test.txt /mnt/dbfs/dbfs_area/dir2/test1.txt
cp: cannot create regular file `/mnt/dbfs/dbfs_area/dir2/test1.txt': Permission 
denied


-- 
Zhang Leyi (Kamus) <kamusis@xxxxxxxxx>

Visit my blog for more: http://www.dbform.com
Join ACOUG: http://www.acoug.org
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


On Thursday, August 11, 2011 at 11:19 PM, Kamus wrote:

>  Hi gurus 
> 
> Anyone has expirience about DBFS? I'm trying use this 11gR2 new feature for 
> one of my product system, which will finally hold over 400T picture BLOBs.
> 
> I'm doing some test for DBFS security and found a problem (bug?)
> 
> I use oracle user create a directory.
> $ dbfs_client dbfs@localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir1
> 
> then use grid user create another directory.
> $ dbfs_client dbfs@localhost:1521/orcl --command mkdir dbfs:/dbfs_area/dir2
> 
> after that I list dirs and all looks good. both dir's privlige is 755, which 
> should means only user can has WRITE permission. 
> $ dbfs_client dbfs@localhost:1521/orcl --command ls -l dbfs:/dbfs_area
> Password:
> drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2
> drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1
> 
> But I try to use oracle user to copy file into 2 directories, both succeed. 
> huh? Do I missed something?
> [oracle@dbserver-oel ~]$ dbfs_client dbfs@localhost:1521/orcl --command cp 
> test.txt dbfs:/dbfs_area/dir1/
> Password:
> test.txt -> dbfs:/dbfs_area/dir1/test.txt
> [oracle@dbserver-oel ~]$ dbfs_client dbfs@localhost:1521/orcl --command cp 
> test.txt dbfs:/dbfs_area/dir2/
> Password:
> test.txt -> dbfs:/dbfs_area/dir2/test.txt
> $ dbfs_client dbfs@localhost:1521/orcl --command ls -l -R dbfs:/dbfs_area
> Password:
> drwxr-xr-x grid oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir2
> -rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir2/test.txt
> drwxr-xr-x oracle oinstall 0 Aug 11 22:41 dbfs:/dbfs_area/dir1
> -rw-r--r-- oracle oinstall 27 Aug 11 22:41 dbfs:/dbfs_area/dir1/test.txt
> 
> Any feedback will be appreciated.
> 
> -- 
> Zhang Leyi (Kamus) <kamusis@xxxxxxxxx (mailto:kamusis@xxxxxxxxx)>
> 
> Visit my blog for more: http://www.dbform.com
> Join ACOUG: http://www.acoug.org
> Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


--
//www.freelists.org/webpage/oracle-l
References:
- Security issue with DBFS
  - From: Kamus
Re: Security issue with DBFS

Other related posts:
