Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Project lockdown - opinion solicitation

Re: Project lockdown - opinion solicitation

From: joel garry <>
Date: Mon, 27 Aug 2007 10:56:30 -0700
Message-ID: <>

On Aug 26, 5:27 pm, HansF <> wrote:
> On Aug 24, 11:31 am, EdStevens <> wrote:
> > On advice last week, I have downloaded the "Project Lockdown" document
> > and begun reviewing it. I get a very uneasy feeling about his
> > suggestion to remove the SUID bit from the Oracle executables.
> I don't quite understand why people are scared of setUID without
> defining the context. SUID to ROOT - yes, that is dangerous, but SUID
> to Oracle?
> The SUID--oracle capability says "people do not need to log on to
> Oracle userid to be able to administer the Oracle environment. We can
> log and audit that external usage very well both at the OS and the
> Oracle level and this way we also have non-repudiation by ensuring
> that all administrators use their own account."

Doesn't it also mean that anyone running anything that has the bit set is allowed to do things as thought they have the security of the thing that is set? So, if Oracle has the ability to do things that ordinary users are not allowed to do, doesn't that possibly allow someone to abuse that? The possibilities become legion. Unlikely for a small site, but any time you have something desireable enough out of the entire population of Oracle sites, it might be worthwhile for someone to find any little hole and then propagate it. That's what all those security updates are about, eh? For example, someone figured out a buffer overflow exploit for CMAN, which would then allow a sophisticated malicious user to bootstrap into doing anything as the oracle user/group, which means control of the entire database. Then someone found a buffer exploit in the listener. Then 9 and 10 were released and people are still finding things.

Social engineering is a lot easier, of course.

Oh, they haven't given me a login and the admin is out fishing with management, would you please log me into your account? I need to fix the corrupted extproc executable, bug 6329586.

> It seems to me that the people making the recommendations might be
> using the "I heard about this and therefore it must be bad" decision
> making process rather than understanding the technology involved. As
> with all Rules of Thumb - if the assumptions are not known, then it is
> easy for the rule to slide to rot.
> (I'd almost be willing to bet it's an auditor recommendation around
> SOX.)
> /Hans

-- is bogus.
Received on Mon Aug 27 2007 - 12:56:30 CDT

Original text of this message