Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: oratcl compormises security?

Re: oratcl compormises security?

From: Cameron Laird <claird_at_Starbase.NeoSoft.COM>
Date: 6 Jun 1999 19:52:48 -0500
Message-ID: <7jf550$lc3$1@Starbase.NeoSoft.COM>


In article <928713630.147233_at_iris.nyx.net>, Tom Poindexter <tpoindex_at_nyx.nyx.net> wrote:

			.
			.
			.

>Oratcl has no backdoor, or other security problems. Period.
>
>Please check the source for yourself if you're in doubt. Oratcl has
>always been open sourced software, and thousands of users use Oratcl
>everyday without security problems.
>
>Oracle Corporation uses Tcl and a modified Oratcl extension in their
>Oracle Enterprise Manager product. Oracle developers have not
>offered to make their modifications public, nor have I seen those
>modifications either, which according to Oratcl's BSD-style license, is
>perfectly acceptable.
>
>The problem is that Oracle ships the tcl/oratcl interpreter as set-id to
>'root' in some installations. Furthermore, the exectuable file permissions
>allows execution by any user. (rwsr-x-r-x)
>
>This is obliviously a security breach, since a simple Tcl interpreter has the
>ability to read/write files, exec other programs, etc., just as any ordinary
>shell such as /bin/sh, /bin/ksh, /bin/csh, etc. Any user can exec the
>oratclsh interpreter, and as set-id 'root', have instant access to
>anything on the system.
>
>I would appreciate the names of the trade publications that have pointed to
>Oratcl as a secutiry fault so that I can set the record straight.
			.
			.
			.

Let me be clear on this: there's no particular Tcl content to the situation; any sufficiently potent processor configured this way would present the same vulnerabilities, right?

So: why the hazardous suid? Is there a fundamental lacuna in Tcl's programming model (it doesn't do all the Perlish tainting calculations, something like that), or is this just a manifestation of what your buddy Bob Gray explains is the default

  corporate policy [which] tends to favor   shipping products with all features
  enabled, at the expense of security

?
--

Cameron Laird           http://starbase.neosoft.com/~claird/home.html

claird_at_NeoSoft.com      +1 281 996 8546 FAX
Received on Sun Jun 06 1999 - 19:52:48 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US