Database Reference
In-Depth Information
No user has EXECUTE access to a directory, but that is actually small comfort, as I will show. The grantees
shown in bold can write to the OS by default, normally through UTL_FILE, which is still public in 12c as shown in the
following query:
SQL> select grantee from dba_tab_privs where table_name='UTL_FILE';
GRANTEE
--------------------------------------------------------------------------------
PUBLIC
ORACLE_OCM
WMSYS
Those of you that read the author's “Create Any Directory” paper ( http://www.oracleforensics.com/
wordpress/wp-content/uploads/2008/10/create_any_directory_to_sysdba.pdf ) will know that directories can
enable a DB user to run commands on the OS as "oracle" Unix, thus bypassing all DB access controls. Therefore
CREATE ANY DIRECTORY privilege is rarely granted and tends to be managed exclusively by the SYSDBAs, mainly
because this system privilege effectively gains SYSDBA.
As a protection, 11g adds the requirement for DBAs to grant DB-based execute, read, and write privileges on the
directory after it is created to enable this OS interaction. This is still the case in 12c. There are a number of ways for DB
sessions to interact with the OS in Oracle. These include:
Java, but requires JAVASYSPRIVS. For more details, see Leandro Abite's article at
http://labite.wordpress.com/2009/02/20/17/
UTL_FILE, but requires execute on a DB directory from CREATE ANY DIRECTORY
PRIVILEGE.
DBMS_SCHEDULER, but requires CREATE EXTERNAL JOB privilege. Halis Way has a good
article on this at http://halisway.blogspot.co.uk/2007_05_01_archive.html
DBMS_BACKUP_RESTORE can be used to interact with OS, but needs high system privileges
to run. For example: dbms_backup_restore.deletefile('/home/oracle/BKP/test.txt');( http://
nadvi.blogspot.co.uk/2011/11/remove-os-file-using-oracle-plsql.html )
ADVISOR privilege, which requires READ/WRITE on a DIRECTORY. This is according to
Oracle's own documentation, which you can read at http://bit.ly/13ewCL6
The key point to know is that the ADVISOR privilege does not actually require any DB DIRECTORY privileges
at all in order to write files directly to the OS! A DB user with just ADVISOR privilege can write to any DB directory
even if there are no privileges granted on that DB directory. Unfortunately, I found this out after the beta had finished
and have reported this to Oracle before publication. Here is a demonstration:
[oracle@orlin ~]$ sqlplus adtest/lowsec@192.168.1.2:1522/orcl4
SQL*Plus: Release 12.1.0.1.0 Production on Fri Aug 16 16:01:30 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Last Successful login time: Thu Aug 08 2013 11:48:29 +01:00
 
Previous Page
Next Page
Protecting Oracle Database 12c
Search WWH ::




Custom Search
Home