Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: oratcl compormises security?

Re: oratcl compormises security?

From: Tom Poindexter <tpoindex_at_nyx.nyx.net>
Date: Mon, 07 Jun 1999 00:00:40 GMT
Message-ID: <928713630.147233@iris.nyx.net>


In article <jnebeard-0606991210180001_at_pool044-max9.ds17-ca-us.dialup.earthlink.net>, Jeff & Eilene Beard <jnebeard_at_earthlink.net> wrote:
>Recent trade article fingers oratcl as allowing your "to be only three commands"
>away from root access! Personally, I think this is scape-goating, as
>oratcl does
>not run suid { run as root }. Secondly, the SU command itself is only ONE
>command away from root access. The only context that makes any sense (to
>me)
>is that the concern is Web access exposing a database's security.
>
>The article explains that the Oracle 8i Intelligent Agent (OIA) used the
>oratcl add-on, and once any OIA was 'discovered' the security of the
>database was
>exposed. It also discloses that Oracle is hush-hush on the subjecty and will
>discuss the issue ONLY for users subscribing to ($paying $for) their support.
>
>While I hope that NO ONE divulges the precise how-to, I would dearly love to
>understand that the fault lies
> truely with oratcl vs
> the Oracle 8i Intelligent Agent.
>With a correctly installed cgi-bin/ and not allowing direct accessess to
>cgi-bin/$suid_programs, the complaint "feels" bogus.
>
>Can someone with authoritative information put a nail in this to burry the
>finger pointing? If oratcl is the culprit, what's the eta for closing
>this backdoor?
>
>Jeff
>

Oratcl has no backdoor, or other security problems. Period.

Please check the source for yourself if you're in doubt. Oratcl has always been open sourced software, and thousands of users use Oratcl everyday without security problems.

Oracle Corporation uses Tcl and a modified Oratcl extension in their Oracle Enterprise Manager product. Oracle developers have not offered to make their modifications public, nor have I seen those modifications either, which according to Oratcl's BSD-style license, is perfectly acceptable.

The problem is that Oracle ships the tcl/oratcl interpreter as set-id to 'root' in some installations. Furthermore, the exectuable file permissions allows execution by any user. (rwsr-x-r-x)

This is obliviously a security breach, since a simple Tcl interpreter has the ability to read/write files, exec other programs, etc., just as any ordinary shell such as /bin/sh, /bin/ksh, /bin/csh, etc. Any user can exec the oratclsh interpreter, and as set-id 'root', have instant access to anything on the system.

I would appreciate the names of the trade publications that have pointed to Oratcl as a secutiry fault so that I can set the record straight.

--
Tom Poindexter
tpoindex_at_nyx.net
http://www.nyx.net/~tpoindex/ Received on Sun Jun 06 1999 - 19:00:40 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US