Re: osh: security problem?

In article <244deh$fiv_at_falin.cs.uow.edu.au> Phil Herring <phil_herring_at_info-gw.uow.edu.au> writes:
>Does anyone out there know whether osh (which runs setuid root)
>constitutes a security hole in Unix environments? One of our Unix
>people seems unsettled by its use by some of our students here,
>and asserts that if it isn't written with security in mind, it
>might be possible to crack the system with it.

While it is true that a suid program not writen with security in mind is a possible hole, I dont think you have anything to worry about in osh.

All osh does is increase your ULIMIT so you can open oracle datafiles and turn right around and set you back to your original uid. I haven't heard any problems with the it. But if your UNIX guy is really concerned give him (sorry that was sexist) the code and tell him to check it out. Tt is distribute as part of the tools and should be under rdbms/admin.

If this is still a problem make the unix group replace it. If you take out all the portability/error checking stuff it should be about five lines that do nothing but up the ulimit, change the uid and exec sh. it would be kinda hard to do any thing illegal with that.

-- 
Regards, 

Lee E. Parsons                  		Baker Hughes Inteq, Inc
Oracle Database Administrator 			lparsons_at_exlog.com