Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: new paper on direct access in C to the SGA

Re: new paper on direct access in C to the SGA

From: Mladen Gogala <>
Date: Tue, 15 Jun 2004 14:46:31 -0400
Message-ID: <>

On 06/15/2004 02:27:12 PM, "Goulet, Dick" wrote:
> Well, I know some folks here are not going to like me very much, but I for one have little respect for those who publish such hacks and not too much more for those vendors that use them. As I've said before, if you can read a memory chunk you sure as heck can write to it as well

I have to question this statement. Shared memory protection is similar to the protection of a file. You certainly can read /boot/bzImage but, unless you have the proper privilege level, you cannot write into it. Here is what shmget manpage says about the protection:

       IPC_CREAT   to create a new segment. If this flag  is  not  used,  then
                   shmget()  will  find the segment associated with key, check
                   to see if the user has  permission  to  receive  the  shmid
                   associated  with the segment, and ensure the segment is not
                   marked for destruction.
       IPC_EXCL    used with  IPC_CREAT  to  ensure  failure  if  the  segment
       mode_flags (lowest 9 bits)
                   specifying the permissions granted to the owner, group, and
                   world.  Presently, the execute permissions are not used  by
                   the system.

It is quite reminiscent of "open" call, and while normal (ab)user can open /boot/bzImage file, he usually cannot write to it, unless he's super-(ab)user and not an ordinary one. It is the same story exactly with the shared memory segments. Potential benefits for the ordinary (ab)user like me comes from the fact that, using this, I might be able to read ASCII passwords stored somewhere in the SGA and become an (ab)user with the DBA & SYSDBA privilege, and much more entertaining as such. Of course, being a DBA, I already have all privileges, which means that the code is without value for me. If someone breaks into my database using this perversion, I'll look for the instigator and let him have a really bad Finnegan's wake.

Mladen Gogala
Oracle DBA

This message is for the named person's use only.  It may contain confidential, proprietary or legally privileged information.  No confidentiality or privilege is waived or lost by any mistransmission.  If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender.  You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Please see the official ORACLE-L FAQ:
To unsubscribe send email to:
put 'unsubscribe' in the subject line.
Archives are at
FAQ is at
Received on Tue Jun 15 2004 - 13:44:46 CDT

Original text of this message