Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: oratcl compormises security?
tpoindex_at_nyx10.nyx.net (Tom Poindexter) writes:
> In article <7jf550$lc3$1_at_Starbase.NeoSoft.COM>,
> Cameron Laird <claird_at_Starbase.NeoSoft.COM> wrote:
> >In article <928713630.147233_at_iris.nyx.net>,
> >Tom Poindexter <tpoindex_at_nyx.nyx.net> wrote:
> > .
> >>Oratcl has no backdoor, or other security problems. Period.
>
> >Let me be clear on this: there's no particular Tcl
> >content to the situation; any sufficiently potent
> >processor configured this way would present the same
> >vulnerabilities, right?
>
> That's correct. It appears that the Oracle installation leaves
> the tcl/oratcl shell as setuid 'root', executable by anyone.
> The same security hole would exists if /bin/sh was copied to
> ../bin/supersh and permissions set as rws-r-x-r-x and owner root.
That's the problem in a nutshell.
>
> >So: why the hazardous suid? Is there a fundamental
> >lacuna in Tcl's programming model (it doesn't do all
> >the Perlish tainting calculations, something like
> >that), or is this just a manifestation of what your
> >buddy Bob Gray explains is the default
> >
> > corporate policy [which] tends to favor
> > shipping products with all features
> > enabled, at the expense of security
>
> I agree with Bob in many cases, but I also like to point to a quote (who's
> author I don't remember at the moment:
>
> Don't attribute to malice what can more easily be
> explained by stupidity (or carelessness).
>
> (Which suggests this quote represents the Occam's Razor of security?)
It was definitely a case of the latter (carelessness, not stupidity). Oracle
does not have a corporate policy of shipping at the expense of security. In
fact, we have put an enormous amount of energy into making our products as
secure as possible.
Sometimes, things like this slip through. We do our best to make sure that it doesn't happen.
--
Rick Rick Wessman Security and Directory Technologies Server Technologies Oracle Corporation rwessman_at_us.oracle.comReceived on Tue Jun 08 1999 - 07:16:12 CDT