10.4 Secure Use of Runtime.exec Functionality in Oracle Database
This section is intended for DBAs and security administrators, and provides
guidelines for secure use of the Java SE Runtime.exec
functionality
in Java applications running inside Oracle Database. The
java.lang.Runtime.exec
methods span a new operating system (OS)
process and execute the specified command and arguments in the new process. If a
SecurityManager
is present, which is always the case for Java
VM running in the database, then a security check for file execution permissions on
relevant path names is performed before the new OS process starts. If you are a DBA
or a security administrator, then you are responsible for granting the appropriate
file read, write, and execute permissions selectively to the database users, who are
authorized to run server-side OS commands. In addition, Oracle strongly recommends
that the dbms_java.set_runtime_exec_credentials
procedure is used
to control OS user identities of spawned commands as described in the following
sections.
By design, the Runtime.exec
and the related functionality of the java.lang.ProcessBuilder
and java.lang.Process
classes provide no control over the identity of the user associated with the newly created process. In most Java implementations, including the default behavior of Java VM, the forked process runs with the identity of the parent process, which is the Oracle OS user in Oracle Database. For security reasons, it is advisable to run the processes forked by the Runtime.exec
functionality with OS identity granted lesser rights. The dbms_java.set_runtime_exec_credentials
procedure provides a mechanism to bind a specified database user/schema to a specific OS account. If you are a DBA, then you should bind database users issuing Runtime.exec
calls to OS accounts with the least possible power. The following call associates database user/schema DBUSER
with an OS osuser
account:
dbms_java.set_runtime_exec_credentials('DBUSER', 'osuser', 'ospass');
As a result, the OS process spawned to run the Runtime.exec
commands issued by DBUSER
runs with the identity of osuser
. You must be the SYS
user to use set_runtime_exec_credentials
procedure.
You can use an alternative way to secure the Runtime.exec
functionality with OS identity granted lesser rights in pluggable databases (PDBs). The PDB_OS_CREDENTIAL
initialization parameter of a PDB is recognized by Oracle JVM and is used as the effective user ID (UID) for the processes forked with the Runtime.exec
functionality by any user running in the PDB.
Note:
For security reasons, thePDB_OS_CREDENTIAL
initialization parameter, when in effect, always takes precedence over the settings specified with the dbms_java.set_runtime_exec_credentials
procedure.