Re: utl_file question

  • From: Norman Dunbar <oracle@xxxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Wed, 20 Jun 2018 16:44:29 +0100

Hi Robert,

On 20/06/18 15:28, Storey, Robert (DCSO) wrote:

Thank you, I will review that.  In my case, I granted read/write on the directory_object to public

Hmm. UTL_FILE, by default, is also granted (execute) to PUBLIC, which means that now, anyone on your database can read and write files in the location pointed to by your directory object. This may be a security problem.

In addition, any files accessed, reading or writing, are accessed with the privileges of the oracle user and not the individual logging in to the database - assuming they have a server account too.

Depending on the server path that your directory object points to, you may be permitting the users to overwrite, append to, read and write etc, some files required for the database itself.

Ask me how I know? IN the past, there was a UTL_FILE_DIR parameter set to '*' which allowed UTL_FILE access to anywhere on the server, pretty much, provided the oracle account could access the location.

Someone, no, not me, did a UTL_FILE write over a log file (or similar, I forget) and down we all went. Fun!

Take care with granting privileges to public.


Norman Dunbar
Dunbar IT Consultants Ltd

Registered address:
27a Lidget Hill
West Yorkshire
United Kingdom
LS28 7LG

Company Number: 05132767

Other related posts: