| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Slightly off topic: Unix set-uid bit on ksh script
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C003F2.75F52846
Content-Type: text/plain;
charset="windows-1252"
Sun has fun with shared libraries when the SUID bit is on in that the runtime LD_LIBRARY_PATH is more or less disabled if you're not the owner of the executable. So the only libraries that are valid are the ones used at compile time (via the ld command). I'm not sure of the absolute fix in your environment with out more information, you might just need a recompile of SQL*Plus.
Anyway, add the command "ldd -v $ORACLE_HOME/bin/sqlplus" to your script and run it with and without the SUID bit and as a problem/non problem user, and see what/where/when/how libsunmath.so.1 is found.
BOL
-----Original Message-----
From: Chuck Hamilton [mailto:chuck_hamilton_at_yahoo.com]
Sent: Friday, August 11, 2000 9:56 AM
To: Multiple recipients of list ORACLE-L
Subject: Slightly off topic: Unix set-uid bit on ksh script
I'm trying to write ksh script that reads the oracle dba password from a file, connects with sqlplus, and runs a query. The catch is that I want anyone to be able to run the script, but not to be able to see the password. My idea was to put the password in a file that only the oracle user can read, and set the suid bit on the executable script so that the script could read the file but not the user. Problem is I started getting the following error if anyone other than oracle tries to run the script.
ld.so.1: sqlplus: fatal: libsunmath.so.1: open failed: No such file or directory
When oracle runs it, it works fine.
I put a "set > test" line in the script right before it runs sqlplus and that file shows that the PATH and LD_LIBRARY_PATH variables are being set correctly. In fact if I just hard code the password into the script, and remove the suid bit, anyone can run it. Is there something that the suid bit changes in the processes environment that I'm missing here? The platform is Solaris 2.6.
Do You Yahoo!?
Kick off your party with Yahoo! Invites <http://invites.yahoo.com/> .
------_=_NextPart_001_01C003F2.75F52846
Content-Type: text/html;
charset="windows-1252"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META content="MSHTML 5.00.2722.2800" name=GENERATOR></HEAD>
<BODY>
<P><FONT color=#0000ff face=Arial size=2><SPAN class=958004923-11082000>Sun has
fun with shared libraries when the SUID bit is on in that the runtime
LD_LIBRARY_PATH is more or less disabled if you're not the owner of the
executable. So the only libraries that are valid are the ones used at
compile time (via the ld command). I'm not sure of the absolute fix in
your environment with out more information, you might just need a recompile
of SQL*Plus.</SPAN></FONT></P>
<P><FONT color=#0000ff face=Arial size=2><SPAN class=958004923-11082000>Anyway,
add the command "ldd -v $ORACLE_HOME/bin/sqlplus" to your script and run it with
and without the SUID bit and as a problem/non problem user, and see
what/where/when/how libsunmath.so.1 is found.</SPAN></FONT></P>
<P><FONT color=#0000ff face=Arial size=2><SPAN
class=958004923-11082000>BOL</SPAN></FONT></P>
<BLOCKQUOTE>
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Chuck Hamilton
[mailto:chuck_hamilton_at_yahoo.com]<BR><B>Sent:</B> Friday, August 11, 2000 9:56
AM<BR><B>To:</B> Multiple recipients of list ORACLE-L<BR><B>Subject:</B>
Slightly off topic: Unix set-uid bit on ksh script<BR><BR></DIV></FONT>
<P>I'm trying to write ksh script that reads the oracle dba password from a
file, connects with sqlplus, and runs a query. The catch is that I want anyone
to be able to run the script, but not to be able to see the password. My idea
was to put the password in a file that only the oracle user can read, and set
the suid bit on the executable script so that the script could read the file
but not the user. Problem is I started getting the following error if anyone
other than oracle tries to run the script. </P>
<P>ld.so.1: sqlplus: fatal: libsunmath.so.1: open failed: No such file or
directory</P>
<P>When oracle runs it, it works fine.</P>
<P>I put a "set > test" line in the script right before it runs sqlplus and
that file shows that the PATH and LD_LIBRARY_PATH variables are being set
correctly. In fact if I just hard code the password into the script, and
remove the suid bit, anyone can run it. Is there something that the suid bit
changes in the processes environment that I'm missing here? The platform is
Solaris 2.6.</P><BR><BR>
<P><BR> <HR SIZE=1> <B>Do You Yahoo!?</B><BR>Kick off your party with <Ahref="http://invites.yahoo.com/">Yahoo! Invites</A>.</BLOCKQUOTE></BODY></HTML> Received on Fri Aug 11 2000 - 19:15:37 CDT
 |
 |