11.4 Secure Use of Runtime.exec Functionality in Oracle Database

This section is intended for DBAs and security administrators, and provides guidelines for secure use of the Java SE Runtime.exec functionality in Java applications running inside Oracle Database. The java.lang.Runtime.exec methods, found in Java SE libraries and supported by Java Virtual Machine (Java VM) since release 9, span a new operating system (OS) process and execute the specified command and arguments in the new process. If a SecurityManager is present, which is always the case for Java VM running in the database, then a security check for file execution permissions on relevant path names is performed before the new OS process starts. If you are a DBA or a security administrator, then you are responsible for granting the appropriate file read, write, and execute permissions selectively to the database users, who are authorized to run server-side OS commands. In addition, Oracle strongly recommends that the dbms_java.set_runtime_exec_credentials procedure is used to control OS user identities of spawned commands as described in the following sections.

By design, the Runtime.exec and the related functionality of the java.lang.ProcessBuilder and java.lang.Process classes provide no control over the identity of the user associated with the newly created process. In most Java implementations, including the default behavior of Java VM, the forked process runs with the identity of the parent process, which is the Oracle OS user in Oracle Database. For security reasons, it is advisable to run the processes forked by the Runtime.exec functionality with OS identity granted lesser rights. The dbms_java.set_runtime_exec_credentials procedure provides a mechanism to bind a specified database user/schema to a specific OS account. If you are a DBA, then you should bind database users issuing Runtime.exec calls to OS accounts with the least possible power. The following call associates database user/schema DBUSER with an OS osuser account:

dbms_java.set_runtime_exec_credentials('DBUSER', 'osuser', 'ospass');

As a result, the OS process spawned to run the Runtime.exec commands issued by DBUSER runs with the identity of osuser. You must be the SYS user to use set_runtime_exec_credentials procedure.

You can use an alternative way to secure the Runtime.exec functionality with OS identity granted lesser rights in pluggable databases (PDBs). The PDB_OS_CREDENTIAL initialization parameter of a PDB is recognized by Oracle JVM and is used as the effective user ID (UID) for the processes forked with the Runtime.exec functionality by any user running in the PDB.

Note:

For security reasons, the PDB_OS_CREDENTIAL initialization parameter, when in effect, always takes precedence over the settings specified with the dbms_java.set_runtime_exec_credentials procedure.