RE: DBMS_JAVA.GRANT_PERMISSION

  • From: "Marquez, Chris" <CMarquez@xxxxxxxx>
  • To: <DGoulet@xxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 20 Apr 2005 10:06:22 -0400

I have not used;
=20
dbms_java.grant_permission('SYS','java.lang.RuntimePermission','loadLibr
ary....

but have used;
     dbms_java.grant_permission( 'MARQUEZ',
'SYS:java.lang.RuntimePermission', 'write/readFileDescriptor'

I did this to enable me to use and run JAVA *in* the database;
     CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED
...the JAVA program does OS commands.


My *guess* is that you developer has JAVA code "outside"? the database
that he want to call from "inside" the database?

I question how one could "deviate" from any of this...meaning that one
must have the correct set of ROLES, GRANTS, PRIVS to completed any task
in the database...JAVA not excluded. Again, my experience was that until
I got the right mix privs and java code I wasn't able to have any java
fun.

PS I think just saying the words Oracle & JAVA is a security breach at
some level....
PPS Is he using Library "oraawt" specifically...what does it do?

Hth,

Chris Marquez
Oracle DBA
HEYMONitor(tm) - heymonitor.com
"Oracle Monitoring & Alerting Solution"

-----------------------------------
SYS
-----------------------------------
SQL> show user
USER is "SYS"
SQL> Execute dbms_java.grant_permission( 'MARQUEZ',
'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute');
PL/SQL procedure successfully completed.

SQL> execute dbms_java.grant_permission( 'MARQUEZ',
'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '*' );
PL/SQL procedure successfully completed.

SQL> execute dbms_java.grant_permission( 'MARQUEZ',
'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '*' );
PL/SQL procedure successfully completed.


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Goulet, Dick
Sent: Tuesday, April 19, 2005 10:40 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: DBMS_JAVA.GRANT_PERMISSION


Ron,
=3D09
I did not say the "correct approach", but that there must be "good
reason" for it.   I've an application developer who wants to deviate
from the default & am looking for any experience/good reasons that says
we should not.

-----Original Message-----
From: Reidy, Ron [mailto:Ron.Reidy@xxxxxxxxxxxxxxxxxx]=3D20
Sent: Tuesday, April 19, 2005 10:33 AM
To: Goulet, Dick; oracle-l@xxxxxxxxxxxxx
Subject: RE: DBMS_JAVA.GRANT_PERMISSION

Hmmm, I would never assume the default set up/behavior from any software
vendor is the correct approach, but that is just me :)

-----------------
Ron Reidy
Lead DBA
Array BioPharma, Inc.


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Goulet, Dick
Sent: Tuesday, April 19, 2005 7:51 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: DBMS_JAVA.GRANT_PERMISSION


Has anyone out there ever had to grant permission for LoadLibrary?
There's a Metalink document, Note:259471.1,  on how to do it, but are
there any downsides?  I take the approach that if Oracle set this up as
default behavior there is good reason for it. Dick Goulet Senior Oracle
DBA Oracle Certified 8i DBA


--
//www.freelists.org/webpage/oracle-l

This electronic message transmission is a PRIVATE communication which
contains information which may be confidential or privileged. The
information is intended=3D20 to be for the use of the individual or =
entity
named above. If you are not the=3D20 intended recipient, please be aware
that any disclosure, copying, distribution=3D20 or use of the contents =
of
this information is prohibited. Please notify the sender  of the
delivery error by replying to this message, or notify us by telephone
(877-633-2436, ext. 0), and then delete it from your system.

--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l

Other related posts: