Skip to Main Content
  • Questions

  • ORA-29289: Can directory permissions be granted in a role or must they be directly granted to a user/schema?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Eric.

Asked: June 09, 2016 - 7:29 pm UTC

Last updated: June 11, 2016 - 4:20 am UTC

Version: Oracle 11gr2

Viewed 100K+ times! This question is

You Asked

Tom,

Can directory permissions be granted in a role or must they be directly granted to a user/schema? I have a situation where I can't write to a file on a Unix file system. The customer I work for insists that most or all privileges be in a role and not directly granted to the user/schema because of security reasons. I'm not allowed CREATE ANY DIRECTORY privileges on my database so I can't experiment by granting the privs directly to the user/schema. Be advised that I sanitized this example so I haven't tested this exact code.

Here is my example:

In Oracle...

CREATE OR REPLACE DIRECTORY MY_DIR AS '/my_apps/my_files';

CREATE ROLE MY_ROLE NOT IDENTIFIED;
GRANT MY_ROLE TO MY_USER;
GRANT READ, WRITE ON DIRECTORY MY_DIR TO MY_ROLE;

GRANT EXECUTE ON SYS.UTL_FILE TO MY_USER;

CREATE OR REPLACE PROCEDURE MY_USER.TEST_WRITEFILE IS
out_File UTL_FILE.FILE_TYPE;
BEGIN
out_File := UTL_FILE.FOPEN ('MY_DIR', 'test.txt', 'W');
UTL_FILE.PUT_LINE (out_File, 'hello world');
UTL_FILE.FCLOSE (out_File);
END;


In Unix...

On our system, Oracle always writes files as owner "oracle" and group "dba". I have a service account called "my_account" and group "my_group". Directory "/my_apps/my_files" is owned by "my_account" and in group "my_group". The permissions on "/my_apps/my_files" are 770 or read/write/execute for both owner and group and no perms for others. I had the Unix admin add group "my_group" to the Oracle user "oracle".

/my_apps>groups oracle
dba my_group
/my_apps>ll
drwxrwx--- 2 my_account my_group 1024 Jun 9 10:04 my_files


The Error...

When I execute procedure MY_USER.TEST_WRITEFILE, I get this error:

declare
begin
my_user.test_writefile;
end;
Error at line 1
ORA-29289: directory access denied
ORA-06512: at "SYS.UTL_FILE", line 41
ORA-06512: at "SYS.UTL_FILE", line 478
ORA-06512: at "MY_USER.TEST_WRITEFILE", line 4
ORA-06512: at line 3

What am I doing wrong?

and Connor said...

Looks like it must be directly to the user. Here's an example on Windows (so we're taking Unix out of the equation)


SQL> conn / as sysdba
Connected.

SQL> CREATE OR REPLACE DIRECTORY MY_DIR AS 'c:\temp';

Directory created.

SQL>
SQL> CREATE ROLE MY_ROLE;

Role created.

SQL> GRANT READ, WRITE ON DIRECTORY MY_DIR TO MY_ROLE;

Grant succeeded.

SQL>
SQL> GRANT connect, MY_ROLE TO MY_USER identified by my_user;

Grant succeeded.

SQL>
SQL> GRANT EXECUTE ON SYS.UTL_FILE TO MY_USER;

Grant succeeded.

SQL>
SQL> CREATE OR REPLACE PROCEDURE MY_USER.TEST_WRITEFILE IS
  2    out_File UTL_FILE.FILE_TYPE;
  3  BEGIN
  4    out_File := UTL_FILE.FOPEN ('MY_DIR', 'test.txt', 'W');
  5    UTL_FILE.PUT_LINE (out_File, 'hello world');
  6    UTL_FILE.FCLOSE (out_File);
  7  END;
  8  /

Procedure created.

SQL>
SQL>
SQL> conn my_user/my_user
Connected.

SQL> exec TEST_WRITEFILE
BEGIN TEST_WRITEFILE; END;

*
ERROR at line 1:
ORA-29289: directory access denied
ORA-06512: at "SYS.UTL_FILE", line 41
ORA-06512: at "SYS.UTL_FILE", line 478
ORA-06512: at "MY_USER.TEST_WRITEFILE", line 4
ORA-06512: at line 1

SQL> conn / as sysdba
Connected.

SQL> GRANT READ, WRITE ON DIRECTORY MY_DIR TO my_user;

Grant succeeded.

SQL> conn my_user/my_user
Connected.

SQL>
SQL> exec TEST_WRITEFILE

PL/SQL procedure successfully completed.

SQL>
SQL>


Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Followup

Ghassan, June 10, 2016 - 9:01 am UTC

The reason maybe is that the user is the commonly shared thing btw os and db not the role which is a pure db object.
Maybe asking the dba for say a db trigger that read dictionary and do grant (to the directory ) to all users having such role ..
Connor McDonald
June 10, 2016 - 11:23 am UTC

good input.

Thanks Connor, you rock!

Eric Sperling, June 10, 2016 - 1:47 pm UTC

Connor,

Thanks for your prompt answer. I had my suspicions about it needing direct grants but I had no way to test it. I'm also glad that you had the foresight to run the example in Windows taking Unix out of the equation.


Connor McDonald
June 11, 2016 - 4:20 am UTC

glad we could help
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library