In my last blog post “CREATE ANY DIRECTORY”=DBA=SYSDBA ! Ouch ! i talked about the potential threat that can represent the PREPROCESSOR feature introduced in oracle 11gr2 in a consolidated environment and how to develop a systemtap live patch to help preventing that.As Frank Pachot also stated a new parameter “PDB_OS_CREDENTIAL” was introduced in oracle 18.104.22.168 which is meant to prevent that in CDB databases:
“The operating system interactions that are done as the OS user name specified in the credential include:
- External jobs that do not already have an operating system credential specified
- External table pre-processors
- PL/SQL library executions” Ref
Still there is another threat ! As stated by Connor Mcdonald in the comment section of my previous blog post : “Similarly, giving out “create any directory” is just setting yourself up to get burned – a few nasty UTL_FILE calls against anything V$DATAFILE and whoosh…the database is gone.”
For example an administrator of one PDB can compromise data belonging to another PDB ! Or inject code in another shell script that will be executed later by a higher privileged user example : “dbhome_1/QOpatch/qopiprep.bat” used when querying “OPATCH_XML_INV”.
What if i tell you that there is a solution in CDB databases and it’s name is “PATH_PREFIX” !
PATH_PREFIX is a propriety that we specify at PDB creation : Ref
“Use this clause to ensure that file paths for directory objects associated with the PDB are restricted to the specified directory or its subdirectories. This clause also ensures that the following files associated with the PDB are restricted to the specified directory: the Oracle XML repository for the PDB, files created with a
PFILE statement, and the export directory for Oracle wallets. You cannot modify the setting of this clause after you create the PDB. This clause does not affect files created by Oracle Managed Files.”
So using this propriety all directories have to be created relatively the specified path indicated by PATH_PREFIX. (example a malicious user can no more create a directory pointing to ‘/bin’ or overwrite your data files) Feel safer no ! Let’s give it a try !
ORACLE 22.214.171.124 / OEL6.6 test :
First without setting the PATH_PREFIX :
There is no change we can still use absolute paths !
When setting the PATH_PREFIX :
We can no more use absolute path ! Good that’s what we are looking for !
And yes this PDB property existed since oracle 126.96.36.199 but it seem it was not working as expected as we can still use absolute paths even when it’s set. See Deiby Gomez test in 188.8.131.52 https://www.toadworld.com/platforms/oracle/b/weblog/archive/2015/09/25/pdb-creation-with-path-prefix .
ORACLE 184.108.40.206/OEL 6.6 test :
Although PATH_PREFIX is set we can still use absolute path at directory creation !
Check also LOCKDOWN PROFILE / PDB Lockdown Profile Features : ref
||Using external files or directory objects in the PDB when
That’s it 😀
One thought on “CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause”
Thanks for this great article…..correct me if i am wrong, the lockdown profile EXTERNAL_FILE_ACCESS only covers PDB level not CDB level.