Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security problem calling C external procedure

Re: Security problem calling C external procedure

From: Sergei Gouskov <sgouskov_at_ue.com.au>
Date: Wed, 15 Nov 2000 08:46:28 +1100
Message-ID: <dpiQ5.32058$SF5.570520@ozemail.com.au> 






thank you Rick,


The problem is that called C function does not make any calls to database
but call shell commands like mkdir or mv, rm , etc  thus creating/deleting
files-directories in the os file system (so you can easily destroy
oracle/bin....) I guess this is the question to C gurus - is it possible to
reset (limit) process os permissions or the os user of spawned process
(within the process itself) so that spawned process will not use inherited
oracle user access privileges?


TA Sergei



Rick Wessman wrote in message ...


>One thing that could be done is to make the extproc executable setuid to

 some


>other user. That would ensure that you are running as a user other than the

>oracle user.

>

>However, please do not make it setuid to root as (obviously) extproc would

>then be able to execute any command.

>

>                                Thanks,

>                                Rick

>                                Rick Wessman

>                                Server Security Group

>                                Oracle Corporation

>                                Rick.Wessman_at_oracle.com

>

>     The opinions expressed above are mine and do not necessarily reflect

>                         those of Oracle Corporation.

Received on Tue Nov 14 2000 - 15:46:28 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US