Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: oratcl compormises security?
In article <7jf550$lc3$1_at_Starbase.NeoSoft.COM>,
Cameron Laird <claird_at_Starbase.NeoSoft.COM> wrote:
>In article <928713630.147233_at_iris.nyx.net>,
>Tom Poindexter <tpoindex_at_nyx.nyx.net> wrote:
> .
>>Oratcl has no backdoor, or other security problems. Period.
>Let me be clear on this: there's no particular Tcl
>content to the situation; any sufficiently potent
>processor configured this way would present the same
>vulnerabilities, right?
That's correct. It appears that the Oracle installation leaves the tcl/oratcl shell as setuid 'root', executable by anyone. The same security hole would exists if /bin/sh was copied to ../bin/supersh and permissions set as rws-r-x-r-x and owner root.
>So: why the hazardous suid? Is there a fundamental
>lacuna in Tcl's programming model (it doesn't do all
>the Perlish tainting calculations, something like
>that), or is this just a manifestation of what your
>buddy Bob Gray explains is the default
>
> corporate policy [which] tends to favor
> shipping products with all features
> enabled, at the expense of security
I agree with Bob in many cases, but I also like to point to a quote (who's author I don't remember at the moment:
Don't attribute to malice what can more easily be explained by stupidity (or carelessness).
(Which suggests this quote represents the Occam's Razor of security?)
--
Tom Poindexter
tpoindex_at_nyx.net
http://www.nyx.net/~tpoindex/
Received on Mon Jun 07 1999 - 10:05:46 CDT