Re: oratcl compormises security?

In article <7jf550$lc3$1_at_Starbase.NeoSoft.COM>, Cameron Laird <claird_at_Starbase.NeoSoft.COM> wrote:
>In article <928713630.147233_at_iris.nyx.net>,
>Tom Poindexter <tpoindex_at_nyx.nyx.net> wrote:
> .
>>Oratcl has no backdoor, or other security problems. Period.

>Let me be clear on this: there's no particular Tcl
>content to the situation; any sufficiently potent
>processor configured this way would present the same
>vulnerabilities, right?

That's correct. It appears that the Oracle installation leaves the tcl/oratcl shell as setuid 'root', executable by anyone. The same security hole would exists if /bin/sh was copied to ../bin/supersh and permissions set as rws-r-x-r-x and owner root.

>So: why the hazardous suid? Is there a fundamental
>lacuna in Tcl's programming model (it doesn't do all
>the Perlish tainting calculations, something like
>that), or is this just a manifestation of what your
>buddy Bob Gray explains is the default
>
> corporate policy [which] tends to favor
> shipping products with all features
> enabled, at the expense of security

I agree with Bob in many cases, but I also like to point to a quote (who's author I don't remember at the moment:

	Don't attribute to malice what can more easily be 
	explained by stupidity (or carelessness).

(Which suggests this quote represents the Occam's Razor of security?)

--
Tom Poindexter
tpoindex_at_nyx.net
http://www.nyx.net/~tpoindex/ Received on Mon Jun 07 1999 - 10:05:46 CDT