Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: NMO not setuid-root (Unix-only)
Yong Huang wrote:
> wizofoz2k_at_yahoo.com.au (Noons) wrote:
>>"Howard J. Rogers" <hjr_at_dizwell.com> wrote: >>>>RemoteOperationException: ERROR: NMO not setuid-root (Unix-only) >>>> >>>>Any suggestions? [...] >> >>Someone forgot the good old chmod 4777 on executable "oracle"?
In general, a file can be removed if the directory it is in allows you to write in the directory, regardless of the file's permissions. If you have a directory with the sticky-bit set (eg /tmp - usually 1777 permission), then you can only remove the file if you own the file, or if you own the directory, or if you're root*.
But you're right - a SUID anything program with public write permissions is a security disaster; and group should seldom have write permission, either. In fact, when it comes down to it, the owner doesn't really need write permission -- the owner can always fix the permissions immediately before modifying it. So, 4511 or 4555 is a more sensible set of permissions; 4755 would be wholly orthodox; anything more permissive is a bad idea.
-- Jonathan Leffler #include <disclaimer.h> Email: jleffler_at_earthlink.net, jleffler_at_us.ibm.com Guardian of DBD::Informix v2003.04 -- http://dbi.perl.org/ * Quote from POSIX 1003.1 2004, Base Definitions: 4.2 Directory Protection If a directory is writable and the mode bit S_ISVTX is set on the directory, a process may remove or rename files within that directory only if one or more of the following is true: * The effective user ID of the process is the same as that of the owner ID of the file. * The effective user ID of the process is the same as that of the owner ID of the directory. * The process has appropriate privileges. If the S_ISVTX bit is set on a non-directory file, the behavior is unspecified. 'Appropriate privileges' is POSIX-speak for 'root privileges', roughly speaking.Received on Mon Nov 29 2004 - 23:50:03 CST