-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathREADME.sec.txt
142 lines (95 loc) · 4.85 KB
/
README.sec.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
I have no intention of becoming a channel for Oracle Support Services
but this is a significant security hole and so I'm making an exception.
----- Forwarded message from Oracle Support Services <[email protected]> -----
Date: Fri, 7 May 1999 06:29:09 -0700
From: Oracle Support Services <[email protected]>
Subject: SUID Security Issue
Platform: UNIX
Distribution: Internal & External
Problem Subject Line: SUID Security
Product: Oracle Enterprise Manager 2.0.4
Oracle Data Server
Oracle Version: 8.0.3, 8.0.4, 8.0.5, 8.1.5
Component: Intelligent Agent
Oracle Data Server
Component Version: 8.0.3, 8.0.4, 8.0.5, 8.1.5
Sub-Component: N/A
Platform Version: All Unix Versions.
Errors: N/A
Revision Date: 6-March-1999
Problem Description:
On UNIX platforms, some executable files have the setuid (SUID)
bit on. It may be possible for a knowledgeable user to use
these executables to bypass your system security by elevating
their operating system privileges. Oracle Corporation has
identified issues regarding executables with SUID set in
Oracle releases 8.0.3, 8.0.4, 8.0.5 and 8.1.5 on UNIX platforms
only. This problem will be fixed in Oracle releases 8.0.6 and
8.1.6.
Depending on your Oracle installation, the available patch will 1)
correct the SUID bits on applicable files, and/or 2) delete the
oratclsh file. This shell script should be run immediately, and also
should be run after each relink of Oracle.
You can download the patch from Oracle Support?s MetaLink website by
going to the following URL,
http://support.oracle.com/ml/plsql/mlv15.frame?call_type=download&javaFlag=JAVA.
Once you are in this page, select 'Oracle RDBMS' as the product
and then click on the 'Go' button. Then download patch named 'setuid.'
Please contact Oracle Worldwide Support for any additional issues.
----- End forwarded message -----
Date: Sat, 08 May 1999 19:12:52 -0700
From: Mark Dedlow <[email protected]>
I went to the URL listed for the patch, but it appears you can't get to
it directly. It requires a Oracle Metalink account, and even then, you
have to follow a bunch of links to get it, you can't go direct (at
least I couldn't at the URL in the announcement).
You don't really need the patch however, it's just a shell script that
in effect does chmod -s on everything in $ORACLE_HOME/bin except
'oracle' and 'dbsnmp' (needed only for OEM or SNMP).
Also, although the patch didn't address the issue, make sure _nothing_
below ORACLE_HOME is owned by root. There are some installations that
make certain files setuid to root (files that are trivial to compromise).
Mark
------------------------------------------------------------------------------
From: Dan Sugalski <[email protected]>
Date: Mon, 10 May 1999 09:13:28 -0700
The patch actually removes the setuid bit on a number of oracle
executables. The 'unset' list is:
lsnrctl oemevent onrsd osslogin tnslsnr tnsping trcasst trcroute cmctl
cmadmin cmgw names namesctl otrccref otrcfmt otrcrep otrccol oracleO
While the 'must set' list is:
oracle dbsnmp
The shell script to fix the bits properly was posted to the oracle list
running at telelists.com. Check the archives there for it if you want.
(www.telelists.com) I think it's also gone out to one of the BUGTRAQ
lists, and some of the CERTs might have it too.
Dan
------------------------------------------------------------------------------
Date: Wed, 12 May 1999 11:49:45 -0700
From: Mark Dedlow <[email protected]>
> The patch actually removes the setuid bit on a number of oracle
> executables. The 'unset' list is:
>
> lsnrctl oemevent onrsd osslogin tnslsnr tnsping trcasst trcroute cmctl
> cmadmin cmgw names namesctl otrccref otrcfmt otrcrep otrccol oracleO
Actually, there's a little more than that. For each item in that list,
it also looks for a version of the file with a 0 or O appended to it
(these are backups the link makefiles create), so the above list isn't
exactly complete.
The important issues are simply:
o *ONLY* $ORACLE_HOME/bin/oracle requires setuid bit set for
the Oracle RDBMS and tools to function.
o *IF* you run dbsnmp, it must be setuid. (If you don't know what dbsnmp
is, you're probably not running it -- it's a remote monitoring/control
daemon)
Armed with that knowledge, you can use any technique you like to achieve
the desired results. For example, this achieves it:
find $ORACLE_HOME/bin -perm -2000 ! -name oracle ! -name dbsnmp | xargs chmod -s
Mark
------------------------------------------------------------------------------
One further note I'll pass on anonymously and without comment:
> please include something like: "After removing the setuid bits, slap
> your system administrator for running root.sh as root without actually
> reading it first."
> :)
------------------------------------------------------------------------------