Xref: alice comp.databases.oracle.misc:32920 comp.databases.oracle.tools:26052 Path: alice!news-feed.fnsi.net!newsfeed.direct.ca!news.he.net!pulsar.dimensional.com!dimensional.com!wormhole.dimensional.com!not-for-mail Newsgroups: comp.lang.tcl,comp.databases.oracle.misc,comp.databases.oracle.tools Subject: Re: oratcl compormises security? References: Organization: Nyx Net, Free Internet access (www.nyx.net) X-Newsreader: trn 4.0-test69 (20 September 1998) From: tpoindex@nyx.nyx.net (Tom Poindexter) X-Disclaimer: Nyx is a Free Public Access Internet Service: http://www.nyx.net Nyx is not responsible for the actions of its users. Our AUP / Free Speech Policy are at http://www.nyx.net/policies/ Direct complaints to abuse@nyx.net Message-ID: <928713630.147233@iris.nyx.net> X-Post-Path: iris.nyx.net!tpoindex@nyx.nyx.net Lines: 61 Date: Mon, 07 Jun 1999 00:00:40 GMT X-Trace: wormhole.dimensional.com 928713640 206.124.29.7 (Sun, 06 Jun 1999 18:00:40 MDT) NNTP-Posting-Date: Sun, 06 Jun 1999 18:00:40 MDT In article , Jeff & Eilene Beard wrote: >Recent trade article fingers oratcl as allowing your "to be only three commands" >away from root access! Personally, I think this is scape-goating, as >oratcl does >not run suid { run as root }. Secondly, the SU command itself is only ONE >command away from root access. The only context that makes any sense (to >me) >is that the concern is Web access exposing a database's security. > >The article explains that the Oracle 8i Intelligent Agent (OIA) used the >oratcl add-on, and once any OIA was 'discovered' the security of the >database was >exposed. It also discloses that Oracle is hush-hush on the subjecty and will >discuss the issue ONLY for users subscribing to ($paying $for) their support. > >While I hope that NO ONE divulges the precise how-to, I would dearly love to >understand that the fault lies > truely with oratcl vs > the Oracle 8i Intelligent Agent. >With a correctly installed cgi-bin/ and not allowing direct accessess to >cgi-bin/$suid_programs, the complaint "feels" bogus. > >Can someone with authoritative information put a nail in this to burry the >finger pointing? If oratcl is the culprit, what's the eta for closing >this backdoor? > >Jeff > Oratcl has no backdoor, or other security problems. Period. Please check the source for yourself if you're in doubt. Oratcl has always been open sourced software, and thousands of users use Oratcl everyday without security problems. Oracle Corporation uses Tcl and a modified Oratcl extension in their Oracle Enterprise Manager product. Oracle developers have not offered to make their modifications public, nor have I seen those modifications either, which according to Oratcl's BSD-style license, is perfectly acceptable. The problem is that Oracle ships the tcl/oratcl interpreter as set-id to 'root' in some installations. Furthermore, the exectuable file permissions allows execution by any user. (rwsr-x-r-x) This is obliviously a security breach, since a simple Tcl interpreter has the ability to read/write files, exec other programs, etc., just as any ordinary shell such as /bin/sh, /bin/ksh, /bin/csh, etc. Any user can exec the oratclsh interpreter, and as set-id 'root', have instant access to anything on the system. I would appreciate the names of the trade publications that have pointed to Oratcl as a secutiry fault so that I can set the record straight. -- Tom Poindexter tpoindex@nyx.net http://www.nyx.net/~tpoindex/