In article <928713630.147233_at_iris.nyx.net>,
Tom Poindexter <tpoindex_at_nyx.nyx.net> wrote:
.
.
.
>Oratcl has no backdoor, or other security problems. Period.
>
>Please check the source for yourself if you're in doubt. Oratcl has
>always been open sourced software, and thousands of users use Oratcl
>everyday without security problems.
>
>Oracle Corporation uses Tcl and a modified Oratcl extension in their
>Oracle Enterprise Manager product. Oracle developers have not
>offered to make their modifications public, nor have I seen those
>modifications either, which according to Oratcl's BSD-style license, is
>perfectly acceptable.
>
>The problem is that Oracle ships the tcl/oratcl interpreter as set-id to
>'root' in some installations. Furthermore, the exectuable file permissions
>allows execution by any user. (rwsr-x-r-x)
>
>This is obliviously a security breach, since a simple Tcl interpreter has the
>ability to read/write files, exec other programs, etc., just as any ordinary
>shell such as /bin/sh, /bin/ksh, /bin/csh, etc. Any user can exec the
>oratclsh interpreter, and as set-id 'root', have instant access to
>anything on the system.
>
>I would appreciate the names of the trade publications that have pointed to
>Oratcl as a secutiry fault so that I can set the record straight.
.
.
.
Let me be clear on this: there's no particular Tcl
content to the situation; any sufficiently potent
processor configured this way would present the same
vulnerabilities, right?
So: why the hazardous suid? Is there a fundamental
lacuna in Tcl's programming model (it doesn't do all
the Perlish tainting calculations, something like
that), or is this just a manifestation of what your
buddy Bob Gray explains is the default
corporate policy [which] tends to favor
shipping products with all features
enabled, at the expense of security
?
--
Cameron Laird http://starbase.neosoft.com/~claird/home.html
claird_at_NeoSoft.com +1 281 996 8546 FAX
Received on Sun Jun 06 1999 - 19:52:48 CDT