Re: utl_file question
- From: Norman Dunbar <oracle@xxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 20 Jun 2018 16:44:29 +0100
On 20/06/18 15:28, Storey, Robert (DCSO) wrote:
Thank you, I will review that. In my case, I granted read/write on the
directory_object to public
Hmm. UTL_FILE, by default, is also granted (execute) to PUBLIC, which
means that now, anyone on your database can read and write files in the
location pointed to by your directory object. This may be a security
In addition, any files accessed, reading or writing, are accessed with
the privileges of the oracle user and not the individual logging in to
the database - assuming they have a server account too.
Depending on the server path that your directory object points to, you
may be permitting the users to overwrite, append to, read and write etc,
some files required for the database itself.
Ask me how I know? IN the past, there was a UTL_FILE_DIR parameter set
to '*' which allowed UTL_FILE access to anywhere on the server, pretty
much, provided the oracle account could access the location.
Someone, no, not me, did a UTL_FILE write over a log file (or similar, I
forget) and down we all went. Fun!
Take care with granting privileges to public.
Dunbar IT Consultants Ltd
27a Lidget Hill
Company Number: 05132767
Other related posts: