Message-Id: <10586.114443@fatcity.com>
From: Brian MacLean <bmaclean@homebid.com>
Date: Fri, 11 Aug 2000 17:15:37 -0700
Subject: RE: Slightly off topic: Unix set-uid bit on ksh script

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C003F2.75F52846
Content-Type: text/plain;
	charset="windows-1252"

Sun has fun with shared libraries when the SUID bit is on in that the
runtime LD_LIBRARY_PATH is more or less disabled if you're not the owner of
the executable.  So the only libraries that are valid are the ones used at
compile time (via the ld command).  I'm not sure of the absolute fix in your
environment with out more information, you might just need a recompile of
SQL*Plus.

Anyway, add the command "ldd -v $ORACLE_HOME/bin/sqlplus" to your script and
run it with and without the SUID bit and as a problem/non problem user, and
see what/where/when/how libsunmath.so.1 is found.

BOL

-----Original Message-----
From: Chuck Hamilton [mailto:chuck_hamilton@yahoo.com]
Sent: Friday, August 11, 2000 9:56 AM
To: Multiple recipients of list ORACLE-L
Subject: Slightly off topic: Unix set-uid bit on ksh script



I'm trying to write ksh script that reads the oracle dba password from a
file, connects with sqlplus, and runs a query. The catch is that I want
anyone to be able to run the script, but not to be able to see the password.
My idea was to put the password in a file that only the oracle user can
read, and set the suid bit on the executable script so that the script could
read the file but not the user. Problem is I started getting the following
error if anyone other than oracle tries to run the script. 

ld.so.1: sqlplus: fatal: libsunmath.so.1: open failed: No such file or
directory

When oracle runs it, it works fine.

I put a "set > test" line in the script right before it runs sqlplus and
that file shows that the PATH and LD_LIBRARY_PATH variables are being set
correctly. In fact if I just hard code the password into the script, and
remove the suid bit, anyone can run it. Is there something that the suid bit
changes in the processes environment that I'm missing here? The platform is
Solaris 2.6.






  _____  

Do You Yahoo!?
Kick off your party with Yahoo! Invites <http://invites.yahoo.com/> .


------_=_NextPart_001_01C003F2.75F52846
Content-Type: text/html;
	charset="windows-1252"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">


<META content="MSHTML 5.00.2722.2800" name=GENERATOR></HEAD>
<BODY>
<P><FONT color=#0000ff face=Arial size=2><SPAN class=958004923-11082000>Sun has 
fun with shared libraries when the SUID bit is on in that the runtime 
LD_LIBRARY_PATH is more or less disabled if you're not the owner of the 
executable.&nbsp; So the only libraries that are valid are the ones used at 
compile time (via the ld command).&nbsp; I'm not sure of the absolute fix in 
your environment with out more information,&nbsp;you might just need a recompile 
of SQL*Plus.</SPAN></FONT></P>
<P><FONT color=#0000ff face=Arial size=2><SPAN class=958004923-11082000>Anyway, 
add the command "ldd -v $ORACLE_HOME/bin/sqlplus" to your script and run it with 
and without the SUID bit and as a problem/non problem user, and see 
what/where/when/how libsunmath.so.1 is found.</SPAN></FONT></P>
<P><FONT color=#0000ff face=Arial size=2><SPAN 
class=958004923-11082000>BOL</SPAN></FONT></P>
<BLOCKQUOTE>
  <DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> Chuck Hamilton 
  [mailto:chuck_hamilton@yahoo.com]<BR><B>Sent:</B> Friday, August 11, 2000 9:56 
  AM<BR><B>To:</B> Multiple recipients of list ORACLE-L<BR><B>Subject:</B> 
  Slightly off topic: Unix set-uid bit on ksh script<BR><BR></DIV></FONT>
  <P>I'm trying to write ksh script that reads the oracle dba password from a 
  file, connects with sqlplus, and runs a query. The catch is that I want anyone 
  to be able to run the script, but not to be able to see the password. My idea 
  was to put the password in a file that only the oracle user can read, and set 
  the suid bit on the executable script so that the script could read the file 
  but not the user. Problem is I started getting the following error if anyone 
  other than oracle tries to run the script. </P>
  <P>ld.so.1: sqlplus: fatal: libsunmath.so.1: open failed: No such file or 
  directory</P>
  <P>When oracle runs it, it works fine.</P>
  <P>I put a "set &gt; test" line in the script right before it runs sqlplus and 
  that file shows that the PATH and LD_LIBRARY_PATH variables are being set 
  correctly. In fact if I just hard code the password into the script, and 
  remove the suid bit, anyone can run it. Is there something that the suid bit 
  changes in the processes environment that I'm missing here? The platform is 
  Solaris 2.6.</P><BR><BR>
  <P><BR>
  <HR SIZE=1>
  <B>Do You Yahoo!?</B><BR>Kick off your party with <A 
  href="http://invites.yahoo.com/">Yahoo! Invites</A>.</BLOCKQUOTE></BODY></HTML>